Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques. This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events when a process opens a handle to another process, commonly used for credential dumping via LSASS.
Definition
Requires Sysmon Event ID 10 (ProcessAccess) with CallTrace enabled. Example sysmon config snippet with grouping, as logging individual ProcessAccess events can generate excessive logs: <ProcessAccess onmatch="include"> <Rule groupRelation="and"> <TargetImage condition="end with">\MsMpEng.exe</TargetImage> <SourceImage condition="end with">\WerFaultSecure.exe</SourceImage> </Rule> </ProcessAccess>
detection:
selection:
SourceImage|endswith: '\WerFaultSecure.exe'
TargetImage|endswith: '\MsMpEng.exe'
CallTrace|contains:
- '\dbgcore.dll'
- '\dbghelp.dll'
condition: selectionLegitimate Windows Error Reporting operations
Tactics
Sub-techniques
WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
Detects the loading of dbgcore.dll or dbghelp.dll by WerFaultSecure.exe, which has been observed in EDR-Freeze attacks to suspend processes and evade detection. However, this behavior has also been observed during normal software installations, so further investigation is required to confirm malicious activity. When threat hunting, look for this activity in conjunction with other suspicious processes starting, network connections, or file modifications that occur shortly after the DLL load. Pay special attention to timing - if other malicious activities occur during or immediately after this library loading, it may indicate EDR evasion attempts. Also correlate with any EDR/AV process suspension events or gaps in security monitoring during the timeframe.
Detects similar activity. Both rules may fire on overlapping events.
PPL Tampering Via WerFaultSecure
Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus). This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software. Distinct command line patterns help identify the specific tool: - WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine - EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
Detects similar activity. Both rules may fire on overlapping events.