Suspicious Process Suspension via WERFaultSecure through EDR-Freeze (1f0b4cac-9c81-41f4-95d0-8475ff46b3e2)

Detects attempts to freeze a process likely an EDR or an antimalware service process through EDR-Freeze that abuses the WerFaultSecure.exe process to suspend security software.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Suspicious Process Suspension via WERFaultSecure through EDR-Freeze (1f0b4cac-9c81-41f4-95d0-8475ff46b3e2)	Sigma-Rules	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2