A new proof-of-concept tool named EDR-Freeze demonstrates a significant evolution in attacker evasion techniques. Developed by security researcher TwoSevenOneT, the tool temporarily disables Endpoint Detection and Response (EDR) systems and antivirus software without requiring kernel-level privileges by exploiting the legitimate Windows Error Reporting (WER) service1. This “living-off-the-land” approach provides a stealthier alternative to traditional Bring Your Own Vulnerable Driver (BYOVD) attacks, operating entirely from user mode. The tool’s release highlights a continuing trend of attackers abusing trusted Windows components to bypass security controls.
For security leadership, the core takeaway is that a new evasion technique abuses a legitimate Windows function to suspend security processes. The method is effective against processes protected by Protected Process Light (PPL) and leaves minimal forensic traces compared to driver-based attacks. Defensive monitoring strategies should be adjusted to detect anomalous use of the Windows Error Reporting service.
* **Technique:** Abuse of the `MiniDumpWriteDump` function via the Windows Error Reporting service (`WerFaultSecure.exe`).
* **Privilege Level:** User-mode, no kernel driver required.
* **Key Bypass:** Effectively circumvents Protected Process Light (PPL) protections.
* **Primary Detection Signal:** Suspicious `WerFaultSecure.exe` activity targeting security agent Process IDs (PIDs).
* **Impact:** Temporary suspension of EDR/antivirus processes, creating a window for undetected malicious activity.
Technical Mechanism of the EDR-Freeze Attack
The EDR-Freeze technique hinges on the operational behavior of the `MiniDumpWriteDump` function, a standard part of the Windows `DbgHelp` library used for debugging. When this function is called to create a memory dump of a process, it must suspend all threads within the target process to ensure a consistent memory snapshot is captured2. The attacker’s innovation lies in weaponizing this inherent suspension mechanism. By launching the Windows Error Reporting process, `WerFaultSecure.exe`, with high privileges and directing it to dump a security process, the attacker initiates the suspension. The core of the attack is a precise race condition where the EDR-Freeze tool suspends the `WerFaultSecure.exe` process itself the moment the target security software is suspended, leaving the security software in a permanent “coma” state.
The attack flow involves several distinct steps. First, the attacker uses a companion tool called `CreateProcessAsPPL` to launch `WerFaultSecure.exe` with `WinTCB`-level PPL privileges, which grants it the necessary access to interact with protected security processes3. The `WerFaultSecure.exe` process is then instructed, via command-line parameters, to execute `MiniDumpWriteDump` on a target EDR or antivirus process, such as Windows Defender’s `MsMpEng.exe`. Concurrently, the EDR-Freeze tool monitors the state of the target process. The researcher explains the critical timing: “if we suspend WerFaultSecure right at the moment it puts the target process into a suspended state, the target program will be suspended indefinitely”2. This interdependency is what makes the technique effective.
Tool Usage and Evidence of Effectiveness
The EDR-Freeze tool is a command-line utility with a straightforward syntax: `EDR-Freeze.exe [TargetPID] [SleepTime]`1. The `TargetPID` parameter is the Process ID of the security software to be suspended, and the `SleepTime` parameter specifies the duration of the suspension in milliseconds. For example, the command `EDR-Freeze.exe 1234 10000` would target the process with PID 1234 and attempt to suspend it for 10 seconds. The tool has been proven effective in a tested environment; the researcher successfully suspended the `MsMpEng.exe` process on Windows 11 24H2 for 5000 milliseconds (5 seconds)2.
This technique offers a distinct advantage over BYOVD attacks. Because EDR-Freeze uses signed, legitimate Windows components, it avoids the noise associated with loading a third-party, often unsigned or vulnerable, driver into the kernel. The researcher notes that this “addresses the weakness of the BYOVD technique” by operating entirely within the trusted confines of the operating system’s own utilities2. This makes the activity harder to distinguish from normal system behavior using signature-based detection methods, placing a greater emphasis on behavioral analytics for defense.
Contextualizing Process Suspension Attacks
The EDR-Freeze method is part of a broader category of attacks that manipulate process states for evasion. Another prominent example is the **Freeze** toolkit, originally developed by Optiv and now maintained by Tylous10. While both tools involve process suspension, their objectives and methods differ. EDR-Freeze is an offensive tool designed to directly disable security products by suspending their processes. In contrast, the Freeze toolkit is a defensive evasion tool that creates a suspended, benign process (like `notepad.exe`) to harvest a clean, unhooked version of `ntdll.dll`.
The clean `ntdll.dll` obtained by the Freeze toolkit is then used to overwrite hooks that EDRs place in a malicious process’s memory. This cleaning process occurs before the execution of shellcode, allowing the malicious code to run without triggering the EDR’s monitoring functions10. The common thread between EDR-Freeze and Freeze is the strategic use of suspended processes, illustrating that process state manipulation is a fundamental technique in the modern attack landscape. Understanding these nuances is key for developing effective countermeasures.
Defensive Recommendations and Detection Strategies
The primary indicator of compromise for this technique is anomalous activity related to `WerFaultSecure.exe`. Security teams should monitor for instances of `WerFaultSecure.exe` being launched with command-line arguments that point to the PIDs of sensitive processes, such as LSASS, antivirus engines, or EDR agents2. The presence of such activity is a strong signal that this evasion technique may be in use. Monitoring for the creation of suspended processes, especially those related to system utilities, should be a component of a robust detection strategy.
A defense-in-depth posture is necessary to mitigate the risk posed by such techniques. Relying solely on PPL protections or standard endpoint security configurations is insufficient. Organizations should implement behavioral analytics capable of detecting the unusual suspension of security agent processes, as this is not a normal operational event. Strengthening endpoint protection with additional controls that can validate the integrity and intended behavior of system processes can provide another layer of defense. Continuous security monitoring that focuses on the sequence of process creation and state changes is essential for identifying these subtle attacks.
The emergence of EDR-Freeze underscores the ongoing shift in offensive security from exploiting software vulnerabilities to abusing legitimate system functions. This approach is often quieter and harder to detect than traditional methods. It reinforces the principle that defenders cannot assume trust based on the digital signature or origin of a process. Security strategies must evolve to include advanced behavioral monitoring that can discern malicious intent behind the use of trusted tools, a paradigm often referred to as “living-off-the-land” or LOTL.
Conclusion
The release of the EDR-Freeze tool by researcher TwoSevenOneT represents a notable advancement in evasion tradecraft. By cleverly leveraging a race condition within a core Windows debugging function, attackers can now temporarily neutralize security software from user mode with a high degree of stealth. This technique effectively bypasses PPL protections and avoids the tell-tale signs of kernel driver manipulation. For defenders, this serves as a reminder that security monitoring must extend beyond obvious malicious indicators to include the contextual and behavioral analysis of trusted system utilities. The arms race between attack and defense continues to focus on the abuse of inherent operating system capabilities.
References
- TwoSevenOneT, “EDR-Freeze,” GitHub repository. [Online]. Available: https://github.com/TwoSevenOneT/EDR-Freeze
- TwoSevenOneT, “EDR-Freeze: A Tool That Puts EDRs And Antivirus Into A Coma State,” Zero Salarium, Sep. 2025. [Online]. Available: https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
- TwoSevenOneT, “CreateProcessAsPPL,” GitHub repository. [Online]. Available: https://github.com/TwoSevenOneT/CreateProcessAsPPL
- GBHackers, “Hackers Deploy New EDR-Freeze Tool to Disable Security Software,” GBHackers. [Online]. Available: https://gbhackers.com/hackers-deploy-new-edr-freeze-tool/
- BleepingComputer, “New EDR-Freeze tool uses Windows WER to suspend security software,” BleepingComputer. [Online]. Available: https://www.bleepingcomputer.com/news/security/new-edr-freeze-tool-uses-windows-wer-to-suspend-security-software/
- CybersecurityNews, “New EDR-Freeze Tool That Puts EDRs and Antivirus Into A Coma State,” CybersecurityNews. [Online]. Available: https://cybersecuritynews.com/edr-freeze-tool/
- Cyber Security News, “Cyber Security News Post with Expert Comments,” LinkedIn. [Online]. Available: https://www.linkedin.com/posts/cybersecurity-news_cybersecuritynews-activity-7375724452636057600-nsTz
- Cyber Security News, “Announcement by Cyber Security News,” X (Twitter). [Online]. Available: https://x.com/The_Cyber_News/status/1969959248139268175
- TwoSevenOneT, “EDR-Freeze: A Tool That Puts EDRs And Antivirus Into A Coma State,” Zero Salarium, Sep. 2025. (Quoted material on process suspension).
- Tylous, “Freeze,” GitHub repository. [Online]. Available: https://github.com/Tylous/Freeze
