Detection rules › Sigma
Hacktool - EDR-Freeze Execution
Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows. EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process. This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1562.001 Impair Defenses: Disable or Modify Tools |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: 1 of selection_img
or:
Image|contains: '\EDR-Freeze'
Image|contains: '\EDRFreeze'
Image|endswith: .exe
Stage 2: 1 of selection_imphash
or:
Hashes|contains: 'IMPHASH=1195F7935954A2CD09157390C33F8E8C'
Hashes|contains: 'IMPHASH=129F58DE3D687FB7F012BF6C3D679997'
Hashes|contains: 'IMPHASH=2C617A175D0086251642C6619F7CC8BA'
Hashes|contains: 'IMPHASH=8828F0B906F7844358FB92A899E9520F'
Hashes|contains: 'IMPHASH=8B2D5B54AFCFEC60D54F6B31D80ED4A0'
Hashes|contains: 'IMPHASH=AB8BB31EDD91D2A05FE7B62A535E9EB7'
Hashes|contains: 'IMPHASH=AF76D95157EC554DC1EF178E4E66D447'
Hashes|contains: 'IMPHASH=E1B04316B61ACA31DD52ABBEC0A37FD5'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Hashes | match |
|
Image | ends_with |
|
Image | match |
|