EDR-Freeze: The User-Mode Attack That Puts Security into a Coma

A new evasion technique known as "EDR-Freeze" has emerged, changing the way attackers neutralize endpoint security. Unlike traditional methods that attempt to crash or terminate security software (which often triggers alerts), EDR-Freeze suspends the security process entirely, rendering it "comatose" but technically alive. This attack is particularly dangerous because it operates entirely in user mode, meaning it does not require the attacker to bring a vulnerable driver (BYOVD) or exploit kernel-level flaws. Instead, it abuses legitimate Windows error reporting tools to freeze Endpoint Detection and Response (EDR) agents, creating a blind spot where malicious activity can occur undetected.

How Does the EDR Freeze Attack Work Internally?

The elegance of the EDR Freeze attack lies in its manipulation of three core Windows components, turning them against the system they are designed to protect. The attack chains these components together to create a deadlock, effectively freezing a security product in its tracks.

The Core Components

MiniDumpWriteDump Function

This is a legitimate function found in the Windows DbgHelp.dll library. Its intended purpose is for debugging; it creates a snapshot (a "minidump") of a process's memory. To ensure this snapshot is accurate and consistent, the function's first action is to suspend all threads in the target process. This "pause" feature is the mechanism the attack exploits.

Protected Process Light (PPL)

This is the primary obstacle for the attacker. Modern EDR and AV solutions run as PPL processes. This security feature prevents other non-protected processes (even those with administrative rights) from tampering with them.

WerFaultSecure.exe Tool

This is the attacker's "key." A legitimate component of the Windows Error Reporting service, WerFaultSecure.exe is a high-privilege system tool. Crucially, it runs with the WinTCB protection level, which is a PPL level that grants it the authority to interact with other PPL processes (like EDRs) to collect diagnostic data when they crash.

The Attack Chain: A Race Condition Deadlock

The EDR Freeze attack is not a simple command. It is a precisely timed race condition that requires Administrator privileges to initiate. The goal is to get WerFaultSecure.exe to start the dump on the EDR, and then "freeze the freezer" before it can finish.

The process, as automated by the "EDR-Freeze" proof-of-concept tool [1], consists of four steps, as follows [2] [3]:

Initiation: The attacker, having already gained administrative privileges, launches WerFaultSecure.exe. They pass it command-line parameters (-p <PID>) instructing it to generate a dump of the target EDR/AV process.
The Freeze: WerFaultSecure.exe, using its high-privilege PPL status, successfully acquires a handle to the protected EDR process and calls the MiniDumpWriteDump function. As designed, this function immediately suspends all threads within the EDR process, stopping its execution.
The Race: The attacker's EDR-Freeze tool, which has been rapidly monitoring the thread states of the target EDR, detects this suspended state. This is the critical moment in the race.
The Deadlock: The instant the EDR is confirmed to be suspended, the attacker's tool wins the race by immediately using the NtSuspendProcess function to suspend the WerFaultSecure.exe process itself.

This creates a perfect deadlock. The EDR process is frozen and will only be resumed once WerFaultSecure.exe completes the MiniDumpWriteDump operation. However, WerFaultSecure.exe is now also frozen and can never complete its task.

The result is that the EDR process remains in a suspended "coma" indefinitely, its icon still visible but its detection capabilities completely neutralized. The attacker is now free to execute further commands, like running Mimikatz, deploying ransomware, or exfiltrating data, in a "blind spot" invisible to the disabled security product.

How Picus Simulates EDR-Freeze Attacks?

We also strongly suggest simulating EDR-Freeze Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other techniques, such as Process Injection, Input Capture, Active Directory Attacks, and OS Credential Dumping, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for the EDR-Freeze Attack:

Threat ID	Threat Name	Attack Module
46184	Impair Defenses Micro Emulation Plan	Windows Endpoint

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

Key Takeaways

EDR Freeze disables security tools by suspending them instead of terminating them, avoiding typical alert triggers.
The method works entirely in user mode and does not require kernel exploits or vulnerable drivers.
It relies on chaining MiniDumpWriteDump, Protected Process Light, and WerFaultSecure.exe to create a process suspension deadlock.
WerFaultSecure.exe gains privileged access to the protected EDR process and triggers thread suspension.
The attacker suspends WerFaultSecure.exe at the precise moment it suspends the EDR, leaving both stuck indefinitely.
The result is a long-lasting blind spot where the EDR remains visible but non-functional.

References

[1] T. S. O. Three, EDR-Freeze: EDR-Freeze is a tool that puts a process of EDR, AntiMalware into a coma state. Github. Accessed: Nov. 18, 2025. [Online]. Available: https://github.com/TwoSevenOneT/EDR-Freeze

[2] Z. Salarium, “EDR-Freeze: A Tool That Puts EDRs And Antivirus Into A Coma State.” Accessed: Nov. 18, 2025. [Online]. Available: https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html

[3] “Inside EDR-Freeze: How ThreatDown stops the attack before it spreads,” ThreatDown by Malwarebytes. Accessed: Nov. 18, 2025. [Online]. Available: https://www.threatdown.com/blog/inside-edr-freeze-how-threatdown-stops-the-attack-before-it-spreads/

Frequently Asked Questions (FAQs)

Here are the most asked questions about EDR-Freeze technique.

What is the EDR Freeze technique?

EDR Freeze is a user-mode evasion method that suspends an EDR process without terminating it. It abuses legitimate Windows diagnostic tools to place the security software into a suspended state, leaving it visible but unable to perform monitoring or detection functions.

Why is EDR Freeze considered dangerous?

It is dangerous because it creates a silent blind spot. The security process appears to be running, yet it cannot analyze system activity. This allows an attacker with administrative access to operate undetected while avoiding alerts that usually occur when security processes crash or stop abruptly.

How does the attack avoid kernel-level exploits?

The technique works entirely in user mode by leveraging legitimate Windows error reporting components. Since it does not rely on vulnerable drivers or kernel flaws, it bypasses defenses designed to stop traditional kernel-based tampering methods, making the approach more stealthy and accessible.

What role does MiniDumpWriteDump play in the attack?

MiniDumpWriteDump is intended for collecting process memory snapshots. It suspends all threads in the target process to ensure a consistent dump. The attack abuses this behavior by triggering the suspension of the EDR process, creating the opening required to freeze it before the dump operation can complete.

Why is WerFaultSecure.exe critical to the technique?

WerFaultSecure.exe has a privileged protection level that allows it to interact with protected processes such as EDR agents. When invoked to generate a dump, it successfully suspends the EDR. The attacker then suspends WerFaultSecure.exe itself, forming a deadlock that prevents the EDR from ever resuming.

What privileges are required for the attack?

The attacker must already have administrative rights. These privileges allow them to launch WerFaultSecure.exe with parameters targeting the EDR and to perform actions like monitoring thread states and suspending processes at the critical moment of the race condition.