A new method and proof-of-concept tool called EDR-Freeze demonstrates that evading security solutions is possible from user mode with Microsoft's Windows Error Reporting (WER) system.
The technique eliminates the need of a vulnerable driver and puts security agents like endpoint detection and response (EDR) tools into a state of hibernation.
By using the WER framework together with the MiniDumpWriteDump API, security researcher TwoSevenOneThree (Zero Salarium) found a way to suspend indefinitely the activity of EDR and antivirus processes indefinitely.
Existing EDR disabling methods operate based on the “Bring Your Own Vulnerable Driver” (BYOVD) technique, where attackers take a legitimate but vulnerable kernel driver and exploit it for privilege escalationn.
Key drawbacks in the BYOVD attacks include the need to smuggle the driver to the target system, bypass execution protections, and wipe kernel-level artifacts that could expose the operation.
EDR-Freeze is described as a much stealthier method that requires no kernel driver, works entirely from the user mode, and leverages legitimate Windows components that are present by default in the operating system.
How EDR-Freeze works
WerFaultSecure is a Windows Error Reporting component that runs with Protected Process Light (PPL) privileges, designed to collect crash dumps of sensitive system processes for debugging and diagnostic purposes.
MiniDumpWriteDump is an API in the DbgHelp library that generates a snapshot (“minidump”) of a process’s memory and state. While doing so, it suspends alll threads of the target process and resumes them after completing the job.
EDR-Freeze leverages the WerFaultSecure to trigger MiniDumpWriteDump, which temporarily suspends all threads in the target process while the dump is written.
... continue reading