EDR-Freeze
EDR-Freeze is a driverless EDR/AV evasion tool and technique that abuses built-in Windows debugging mechanisms in user mode to temporarily suspend endpoint detection and response and antivirus processes, causing them to hang or become unresponsive. The content states it leverages Windows internals including MiniDumpWriteDump and WerFaultSecure.exe, and detections specifically monitor WerFaultSecure.exe loading dbgcore.dll and dbghelp.dll and accessing security processes such as MsMpEng.exe. It is described as an alternative to BYOVD-style EDR killers because it does not require loading a vulnerable third-party driver. ESET identified EDR-Freeze as part of an emerging class of driverless EDR killers being adopted quickly by ransomware actors and used as a pre-encryption defense-evasion component in modern ransomware intrusions. The tool is associated in the content with security researcher TwoSevenOneT, who is also noted for EDR-Redir and EDRStartupHinder. High-confidence detection-related indicators mentioned in the content include WerFaultSecure.exe, dbgcore.dll, dbghelp.dll, access to EDR processes including MsMpEng.exe, and updated hacktool detections with a new executable name and new IMPHASH values, though the specific values are not provided.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
1 technique
Stealth
Other
2 techniques
Other
Tools like EDRSilencer and EDR-Freeze do not need to interact with the system kernel at all. Instead, they block network communication between the endpoint and the security backend, or they force the EDR software to freeze in place. | Before launching their file-encrypting malware, cybercriminals routinely deploy specialized tools to bypass security software... Attackers are now heavily using driverless methods, custom command-line scripts, and legitimate anti-rootkit utilities to turn off security defenses.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A driverless EDR killer that disrupts EDR functionality by blocking outbound traffic from security solutions.
Driverless EDR killer that causes EDR processes to hang or become unresponsive.
EDR evasion tool referenced as an example of an advanced technique used to tamper with or disable protected EDR processes when simpler user-mode configuration changes fail.
A Windows EDR-evasion hacktool/technique that leverages debugging libraries (dbgcore.dll/dbghelp.dll) and WerFaultSecure.exe to suspend or interfere with security processes (e.g., MsMpEng.exe). Related detections also cover LSASS access/credential dumping when these DLLs appear in call traces or originate from uncommon locations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.