← Back to SOC feed Coverage →

Hacktool - EDR-Freeze Execution

sigma HIGH SigmaHQ
T1685
imProcessCreate
exploit
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-08T23:00:01Z · Confidence: low

Hunt Hypothesis

Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows. EDR-Freeze leverages a race-condition att

Detection Rule

Sigma (Original)

title: Hacktool - EDR-Freeze Execution
id: c598cc0c-9e70-4852-b9eb-8921af79f598
status: experimental
description: |
    Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows.
    EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process.
    This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.
references:
    - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
    - https://github.com/TwoSevenOneT/EDR-Freeze
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
modified: 2025-11-27
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|contains:
            - '\EDR-Freeze'
            - '\EDRFreeze'
        Image|endswith: '.exe'
    selection_imphash:
        Hashes|contains:
            - 'IMPHASH=1195F7935954A2CD09157390C33F8E8C'
            - 'IMPHASH=129F58DE3D687FB7F012BF6C3D679997'
            - 'IMPHASH=2C617A175D0086251642C6619F7CC8BA'
            - 'IMPHASH=8828F0B906F7844358FB92A899E9520F'
            - 'IMPHASH=AF76D95157EC554DC1EF178E4E66D447'
            - 'IMPHASH=E1B04316B61ACA31DD52ABBEC0A37FD5'
            - 'IMPHASH=8B2D5B54AFCFEC60D54F6B31D80ED4A0'
            - 'IMPHASH=AB8BB31EDD91D2A05FE7B62A535E9EB7'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/info.yml

KQL (Azure Sentinel)

imProcessCreate
| where ((TargetProcessName contains "\\EDR-Freeze" or TargetProcessName contains "\\EDRFreeze") and TargetProcessName endswith ".exe") or (TargetProcessIMPHASH startswith "1195F7935954A2CD09157390C33F8E8C" or TargetProcessIMPHASH startswith "129F58DE3D687FB7F012BF6C3D679997" or TargetProcessIMPHASH startswith "2C617A175D0086251642C6619F7CC8BA" or TargetProcessIMPHASH startswith "8828F0B906F7844358FB92A899E9520F" or TargetProcessIMPHASH startswith "AF76D95157EC554DC1EF178E4E66D447" or TargetProcessIMPHASH startswith "E1B04316B61ACA31DD52ABBEC0A37FD5" or TargetProcessIMPHASH startswith "8B2D5B54AFCFEC60D54F6B31D80ED4A0" or TargetProcessIMPHASH startswith "AB8BB31EDD91D2A05FE7B62A535E9EB7")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze.yml