Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze

Rule Info

Name
Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques. This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.
Reference
https://blog.axelarator.net/hunting-for-edr-freeze/
Date
2025-11-27 00:00:00
Modified
None
Id
387df17d-3b04-448f-8669-9e7fd5e5fd8c
Tags
attack.defense-evasion attack.t1562.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=387df17d-3b04-448f-8669-9e7fd5e5fd8c

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5777 from @swachchhanda000 - feat: more edrfreeze rules
2025-12-10
c5b881019
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022