EDR Freeze: In Depth Analysis of the Technique That Silences Endpoint

TL:DR

EDR-Freeze is a PoC that leverages legitimate Windows Error Reporting components (WerFaultSecure + MiniDumpWriteDump) to suspend security product processes without installing drivers. It was published publicly in September 2025 and vendors and defenders have issued guidance. The technique is powerful because it doesn’t terminate agents (which triggers alerts) rather it effectively pauses them, creating a short window for malicious activity.

Why defenders should care

EDR agents are the "eyes and ears" of modern endpoint security. Traditional evasion techniques either try to uninstall/kill agents (loud) or avoid detection by staying stealthy. EDR Freeze blends stealth with direct control, instead of breaking or uninstalling the agent, it uses crash dump mechanics to put the agent into a suspended state for a controllable time window which is long enough for credential theft, lateral movement, ransomware staging etc.

Because it uses legitimate OS components, it's harder to detect by signature.

How EDR-Freeze works?

Key components

1. Windows Error Reporting subsystem, specifically WerFaultSecure.exe (a trusted dumper used for creating memory dumps of protected processes).

2. MiniDumpWriteDump API (used to create memory dump files).

3. CreateProcessAsPPL / PPL (Protected Process Light), the PoC uses PPL to run a dumper with strong protection to interact with other protected processes.

4. Targeted process i.e. EDR/AV process.

Core idea

1. Invoke the WER dumper (WerFaultSecure) in a way that causes it to create a memory dump of the target EDR process. The minidump operation requires that the target's threads be suspended to produce a consistent dump.

2. Keep the dumper suspended or in a wait state so the target process's threads remain suspended effectively freezing the agent.

3. With the agent's threads suspended, EDR detection logic are paused. The attacker has a silent window to run actions.

4. Resume normal operation later so the endpoint appears healthy and the attack window is brief, reducing chance of detection.

Prevention & Hardening

• Patch & vendor guidance - keep OS and EDR agents up to date as vendors are already issuing mitigations and improving anti-tamper behaviors.

• Monitor WER usage - log process creation for WerFaultSecure/WerFault and flag unusual parents/command lines.

• Least privilege & segmentation - minimize number of hosts where attackers can perform high-privilege actions; reduce local admin usage.

EDR Freeze was published publicly as a PoC by researcher TwoSevenOneT / Zero Salarium in September 2025 and quickly analyzed by vendors. Vendors are confirming the technique works in lab conditions against certain agent configurations and many EDR vendors are releasing guidance and bolstering anti-tamper protections. No large-scale, confirmed in the wild attacks using this PoC were reported publicly at the time of vendor advisories, but the risk of weaponization is considered high.

Happy cyber-exploration! 🚀🔒

Note: Feel free to drop your thoughts in the comments below - whether it's feedback, a topic you'd love to see covered, or just to say hi! Don’t forget to join the forum for more engaging discussions and stay updated with the latest blog posts. Let’s keep the conversation going and make cybersecurity a community effort!

-AJ