Hackers Deploy New EDR-Freeze Tool to Disable Security Software

A security researcher has released a new tool that can temporarily disable endpoint detection and response (EDR) systems and antivirus software without requiring vulnerable drivers, marking a significant evolution in attack techniques targeting security solutions.

Advanced Evasion Through Windows Components

The tool, dubbed EDR-Freeze and developed by researcher TwoSevenOneT, exploits Windows Error Reporting functionality to suspend security processes through a sophisticated race condition attack.

Unlike traditional Bring Your Own Vulnerable Driver (BYOVD) techniques that require attackers to deploy malicious drivers, EDR-Freeze operates entirely in user-mode using legitimate Windows components.

The attack leverages the MiniDumpWriteDump function from Windows’ DbgHelp library, which creates memory snapshots of running processes for debugging purposes.

During this operation, the function suspends all threads in the target process to ensure consistent memory capture.

EDR-Freeze exploits this behavior by triggering the dump process against security software and then suspending the dumping process itself, leaving the target security solution ...