EDR-Freeze

Tool that exploits the software vulnerability of WerFaultSecure to suspend the processes of EDRs and antimalware without needing to use the BYOVD (Bring Your Own Vulnerable Driver) attack method.

Table of Contents

• Compile EDR-Freeze
• Suspend the EDR
• Reference

Compile EDR-Freeze

• Install Visual Studio.
• Download EDR-Freeze (GitHub).
• Open the code in Visual Studio.
• Edit the code as needed.
• In Visual Studio:
  • Click on the project name (top collapsible).
  • Click on Project -> Properties.
  • Click on Configuration Properties -> C/C++ -> Code Generation.
  • Set Runtime Library to Multi-threaded Debug (/MTd) for Debug
  • Click on Build -> Build Solution

Suspend the EDR

Copy EDR-freeze.exe on the machine with the EDR.

Start Task Manager and find the PID of the EDR process to suspend.

Open a command prompt (run as Administrator).

EDR-freeze.exe <PID> <sleeptime in milliseconds>

EDR-freeze.exe 1234 10000

Reference

• EDR-Freeze (GitHub)
• EDR-Freeze: A Tool That Puts EDRs And Antivirus Into A Coma State (Zero Salarium)