Title:WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze Status:experimental Description:Detects WerFaultSecure.exe loading dbgcore.dll or dbghelp.dll which contains the MiniDumpWriteDump function.
The MiniDumpWriteDump function creates a minidump of a process by suspending all threads in the target process to ensure a consistent memory snapshot.
The EDR-Freeze technique abuses WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to suspend EDR/AV processes.
By leveraging MiniDumpWriteDump's thread suspension behavior, edr-freeze allows malicious activity to execute undetected during the suspension period.
References: -https://github.com/TwoSevenOneT/EDR-Freeze -https://blog.axelarator.net/hunting-for-edr-freeze/ Author: Swachchhanda Shrawan Poudel (Nextron Systems) Date: 2025-11-27 modified:None Tags:
