EDR-Freeze Tool Exploits Windows WER to Halt Defenses

A newly developed proof-of-concept known as the EDR-Freeze tool exploits Windows functionality by leveraging the Windows Error Reporting (WER) system to suspend security software directly from user mode. This technique raises concerns about the ability of threat actors to bypass endpoint detection and response (EDR) systems without requiring administrative privileges.

The EDR-Freeze tool exploits Windows by targeting a legitimate operating system component. By manipulating how WER handles crash reporting, the tool can pause active security processes, potentially opening a window for malicious activity. This method does not rely on traditional privilege escalation techniques, making it more difficult for standard defenses to detect.

Security researchers have highlighted the risks posed by this WER-based approach, emphasizing the need for vendors to reassess how their tools interact with native Windows components. The technique underscores a growing trend in exploiting trusted system features for evasion.

Read the full article for more technical details and analysis:
https://www.bleepingcomputer.com/news/security/new-edr-freeze-tool-uses-windows-wer-to-suspend-security-software/