Detectionhighexperimental

Hacktool - EDR-Freeze Execution

Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows. EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process. This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Wed Sep 24Updated Thu Nov 27c598cc0c-9e70-4852-b9eb-8921af79f598windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        Image|contains:
            - '\EDR-Freeze'
            - '\EDRFreeze'
        Image|endswith: '.exe'
    selection_imphash:
        Hashes|contains:
            - 'IMPHASH=1195F7935954A2CD09157390C33F8E8C'
            - 'IMPHASH=129F58DE3D687FB7F012BF6C3D679997'
            - 'IMPHASH=2C617A175D0086251642C6619F7CC8BA'
            - 'IMPHASH=8828F0B906F7844358FB92A899E9520F'
            - 'IMPHASH=AF76D95157EC554DC1EF178E4E66D447'
            - 'IMPHASH=E1B04316B61ACA31DD52ABBEC0A37FD5'
            - 'IMPHASH=8B2D5B54AFCFEC60D54F6B31D80ED4A0'
            - 'IMPHASH=AB8BB31EDD91D2A05FE7B62A535E9EB7'
    condition: 1 of selection_*