Skip to content

Hide Navigation Hide TOC

Hacktool - EDR-Freeze Execution (c598cc0c-9e70-4852-b9eb-8921af79f598)

Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows. EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process. This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.

Cluster A Galaxy A Cluster B Galaxy B Level
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Hacktool - EDR-Freeze Execution (c598cc0c-9e70-4852-b9eb-8921af79f598) Sigma-Rules 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2