A new proof-of-concept tool named EDR-Freeze shows how attackers can bypass security solutions directly from user mode by exploiting Microsoft’s Windows Error Reporting (WER) system.
Unlike traditional methods that rely on vulnerable kernel drivers, this technique can push endpoint detection and response (EDR) agents into a hibernation-like state without requiring elevated kernel access.
Security researcher TwoSevenOneThree (Zero Salarium) discovered that combining the WER framework with the MiniDumpWriteDump API allows indefinite suspension of EDR and antivirus processes. Existing bypass techniques mainly depend on the “Bring Your Own Vulnerable Driver” (BYOVD) approach, where attackers exploit legitimate but flawed drivers to escalate privileges. However, BYOVD has significant hurdles, such as delivering the driver to the victim machine, bypassing execution controls, and covering kernel-level traces that may expose the attack.
EDR-Freeze is considered far stealthier since it operates fully from user mode, requires no third-party driver, and leverages native Windows components already available by default.
The method abuses WerFaultSecure, a Windows Error Reporting component running with Protected Process Light (PPL) privileges, intended to capture sensitive process crash dumps.
At the core is MiniDumpWriteDump, an API from the DbgHelp library that generates memory snapshots. During its execution, the API suspends all process threads, later resuming them after the dump completes.
In this attack, EDR-Freeze triggers WerFaultSecure to call MiniDumpWriteDump, temporarily pausing the target process. The attacker then suspends WerFaultSecure itself, preventing it from resuming the target process, effectively leaving the antivirus in a permanent suspended or “coma” state.
The researcher explains this as a race condition attack, reproducible in four steps:
- Launch WerFaultSecure as a PPL.
- Provide arguments so it calls MiniDumpWriteDump on the target PID.
- Poll the target until suspension begins.
- Immediately suspend WerFaultSecure with NtSuspendProcess to freeze the dumper.
A proof-of-concept tool was tested successfully on Windows 11 24H2, where it managed to freeze Microsoft Defender. The researcher notes that this isn’t a vulnerability but rather a design weakness in how these components interact.
According to security researcher Steven Lim, one way to detect abuse is to monitor if WER is unexpectedly targeting critical processes such as LSASS or EDR agents. Lim also released a tool that maps WerFaultSecure activity to Microsoft Defender Endpoint processes.
Experts suggest Microsoft could mitigate this by:
- Blocking suspicious calls to WerFaultSecure.
- Restricting allowed process identifiers (PIDs).
- Limiting the scope of possible parameters.
BleepingComputer has reached out to Microsoft for an official comment on potential defenses against this attack. Updates will follow once a response is received.
