Title:Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze Status:experimental Description:Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques.
This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.
References: -https://blog.axelarator.net/hunting-for-edr-freeze/ Author: Swachchhanda Shrawan Poudel (Nextron Systems) Date: 2025-11-27 modified:None Tags:
-'attack.defense-evasion'
-'attack.t1562.001'
Logsource:
category: process_access
product: windows
definition: Requires Sysmon Event ID 10 (ProcessAccess) with CallTrace enabled.
Example sysmon config snippet with grouping, as logging individual ProcessAccess events can generate excessive logs:
<ProcessAccess onmatch="include">
<Rule groupRelation="and">
<TargetImage condition="end with">\MsMpEng.exe</TargetImage>
<SourceImage condition="end with">\WerFaultSecure.exe</SourceImage>
</Rule>
</ProcessAccess>
