📑
EDR-Freeze, a proof of concept targeting security tools installed on Windows workstations, was published on September 20, 2025. Its release by researcher TwoSevenOneThree has sparked a flurry of questions – chief among them: what is its real impact?
Attacks against EDRs
Today, attackers know that detection tools are increasingly ubiquitous on enterprise endpoints. To act discreetly, avoid raising suspicion, and evade blocking, they continually innovate methods to bypass workspace security products. It’s therefore common to see proofs of concept aimed at these defenses, such as tools like EDRSandblast and EDRSilencer.
Attackers generally target one of two areas to achieve their goals:
- The user space
- The kernel space
The user space is where most user activities occur, making it the most accessible area for attackers. Because it’s easier to reach than the kernel space, attackers often target user space first to neutralize an EDR or bypass its protections. Common techniques include bypassing userland hooking (which intercepts or redirects system or API calls monitored by the EDR), hijacking or disabling security features such as AMSI or ETW, or simply killing the EDR agent process – an effective and frequently employed tactic.
In contrast, the kernel space is much more protected. Accessing it requires elevated privileges, and operating systems – especially Windows – restrict what can be loaded there. However, once attackers gain access, their potential impact expands dramatically. They can attempt to completely disable the EDR, intercept or block critical system event reporting (such as process creation, file system changes, and registry modifications), all while maintaining the appearance of normal system behavior. A notable example of such tactics is Bring Your Own Vulnerable Driver (BYOVD) attacks – historically used by advanced persistent threat (APT) groups like Lazarus but now increasingly adopted by cybercriminals in ransomware campaigns.
As mentioned earlier, EDR-Freeze is a new type of attack targeting EDRs that surfaced in 2025. But what exactly is it?
What is EDR-Freeze?
An attack method that neutralizes security software, known as EDR‑Freeze, emerged in late 2025. It abuses a legitimate Windows binary, WerFaultSecure, to interfere with processes belonging to security products, such as antivirus software or EDRs, while remaining entirely in user space. This means it does not require vulnerable drivers or kernel exploits.
EDR-Freeze works in two stages:
- The first stage leverages a legitimate Windows component, Windows Error Reporting (WER), which collects, analyzes, and optionally sends crash reports to Microsoft or provides administrators with diagnostic data. EDR‑Freeze abuses the signed WerFaultSecure.exe binary to interact with protected processes such as EDRs and antivirus agents and capture their memory. To ensure a consistent snapshot, the target process’s threads are temporarily suspended, effectively pausing the security agent so that its memory can be examined without corruption.
- At the appropriate moment, the tool then suspends WerFaultSecure.exe itself (after the target process has been frozen for copying), leaving the security agent in a suspended state. While that state is maintained by EDR‑Freeze, the EDR cannot perform its normal monitoring and response functions, creating a window of reduced visibility for subsequent attacker activity.
By relying exclusively on a legitimate Windows binary, this proof of concept can place any process on hold, preventing it from continuing to run. If that process is an EDR, an attacker could carry out malicious activity without raising suspicion for the entire duration of the interruption.
How HarfangLab protects itself against EDR-Freeze
As we have seen, the EDR-Freeze tool operates in user space, where most security products already implement self-protection mechanisms to limit potentially harmful actions against them.
HarfangLab’s EDR self-protection is enabled by its own driver, which intercepts all attempts to access its processes and associated files, verifying whether the requesting process is legitimate. To ensure robust protection – even when the user has administrative privileges on their machine – HarfangLab prevents the deletion or suspension of its EDR. Specifically, the WerFaultSecure.exe binary will be blocked from accessing the HarfangLab EDR process with certain rights, effectively preventing any interruption or tampering.
An EDR automatically protected against attack and bypass attempts
While the concept behind EDR-Freeze is intriguing, HarfangLab EDR automatically protects itself against this type of attack, which relies solely on user space and legitimate Windows operating system binaries.
Furthermore, the use of such a tool leaves distinct traces, and its behavior is quite characteristic – making it relatively easy to detect through signature-based rules (like YARA) or behavioral rules (such as Sigma).
Finally, deploying this tool assumes the attacker has already gained access to the system. By that stage, they have likely triggered multiple alerts, meaning their presence would probably have already been flagged by the EDR!
Find out more about our platform and its features: