Endpoint detection and response (EDR) bypass and evasion tools and techniques are commonly used by threat and ransomware groups to evade security defenses to carry out their attacks.
One common approach is to use BYOVD (Bring Your Own Vulnerable Driver) techniques to disable EDR and Antivirus protections, but that requires threat actors to install vulnerable drivers to exploit.
A new approach avoids the need to install vulnerable drivers by using Windows Error Reporting and the MiniDumpWriteDump function to put antivirus processes into hibernation, all done in user mode without the need for third-party tools.
The exploit, dubbed EDR-Freeze, was published earlier this week by the anonymous researcher Two One Seven Three on Zero Salarium.
Using Windows Functions to Bypass EDR
The MiniDumpWriteDump function in the Windows DbgHelp library creates a minidump of a process for debugging.
“But here’s the catch: it suspends all threads in the target process during the dump,” the researcher wrote. “… This is necessary because threads could otherwise be modifying memory while the dump is being written, leading to corruption or inconsistencies.”
Microsoft recommends using the function from an external process instead of calling it from within the crashing process to avoid deadlocks.
The researcher faced two challenges: MiniDumpWriteDump executes very quickly, creating the challenge of extending its execution time; and EDR and Antivirus processes are often secured with Protected Process Light (PPL), which would have to be bypassed to tinker with those processes.
By reverse-engineering the WerFaultSecure program, “we can use it to activate the MiniDumpWriteDump function with any desired process,” the researcher said. “By combining with the CreateProcessAsPPL tool, we can leverage WerFaultSecure to address the second issue. … if a normal process can run a new process with PPL protection, then during the CreateProcess, we can force the child PPL process to suspend by using the CREATE_SUSPENDED flag.”
The PROCESS_SUSPEND_RESUME privilege can be used to resume and suspend the process.
Process Explorer can suspend a process protected with PPL – but not processes marked as antimalware.
“But that is enough,” the researcher said. “With all the information above, if we can make WerFaultSecure perform the dump process and then call MiniDumpWriteDump with Antivirus processes, and then we suspend WerFaultSecure right at the moment it puts the target process into a suspended state, the target program will be suspended indefinitely because the process that could resume it, WerFaultSecure, has also been suspended.”
EDR Bypass Through a Race Condition Attack
The Zero Salarium researcher described a race condition attack with four steps:
- Use CreateProcessAsPPL to run WerFaultSecure with protection at the WinTCB level;
- Fill in the parameters for WerFaultSecure so that it performs the dump of the target process;
- Check the status of the target process until it is suspended;
- Then use OpenProcess with the PROCESS_SUSPEND_RESUME privilege and NtSuspendProcess to suspend the WerFaultSecure process.
The researcher created a tool on GitHub to run the exploit – and another researcher quickly wrote a KQL rule to detect it.
“The biggest weakness of the BYOVD attack is that you must carry drivers with software vulnerabilities to exploit, which can easily cause dangerous disturbances on monitored target machines,” the Zero Salarium researcher wrote.
“With EDR-Freeze, exploiting the software vulnerability of the WerFaultSecure program available on Windows will address the weakness of the BYOVD technique. Additionally, we can flexibly control the programs of EDRs and Antimalware, deciding when they should run and when they should be suspended at will, ensuring that everything operates more smoothly.”
