A Stealthy Evasion Tactic: How Attackers Use a Windows Feature to Freeze Security Tools
In the ongoing cat-and-mouse game of cybersecurity, attackers are constantly developing new ways to evade detection. One of the most effective strategies is to turn a system’s own legitimate tools against it. A recently discovered technique does just that, exploiting a core component of Microsoft Windows to effectively suspend and neutralize Endpoint Detection and Response (EDR) solutions and other security software.
This method leverages the Windows Error Reporting (WER) service, a built-in feature designed to help diagnose and report application crashes. By manipulating this trusted system process, attackers can create a significant blind spot, allowing them to operate on a compromised machine without triggering any alarms.
Understanding the Attack: Abusing Windows Error Reporting
At the heart of this technique is a legitimate Windows executable called WerFault.exe. When an application on your system crashes, this process is automatically invoked. Its job is to collect information about the crash, including creating a memory dump of the faulty application.
To ensure the memory dump is accurate and captures a stable state of the crashing program, WerFault.exe first suspends all of the application’s active threads. This “freeze” prevents the program from changing its state while the diagnostic data is being collected.
Attackers have discovered how to trigger this process deliberately. By using a specialized tool, they can make WerFault.exe believe that a perfectly healthy security agent—like an EDR or antivirus program—has crashed. This leads to the following attack sequence:
- Target Identification: The attacker identifies the process ID (PID) of the EDR or other security software running on the endpoint.
- Malicious Invocation: The attacker’s tool calls the
WerFault.exeprocess, passing it the PID of the security software as its target. - Process Suspension:
WerFault.exe, acting as designed, immediately suspends all threads of the targeted security agent to begin its “crash dump” procedure. - Open Season for Attackers: With the security software effectively frozen in time, it can no longer monitor system activity, detect malicious behavior, or report back to a central security console. The attacker now has a wide-open window to execute further commands, deploy malware, or exfiltrate data undetected.
Why This Technique is So Dangerous
The sophistication of this method lies in its stealth and reliance on legitimate system functions, a strategy commonly known as Living off the Land (LotL).
- Uses a Trusted, Signed Executable: Because
WerFault.exeis a legitimate, Microsoft-signed system file, its activity is unlikely to be flagged as suspicious by basic security controls. It is a trusted part of the operating system doing what it is supposed to do. - Avoids Terminating the Process: Unlike noisy attacks that try to kill or uninstall security software, this technique simply pauses it. The security process still appears to be running in the system’s task list, making it much harder to spot during a routine check.
- Broad Applicability: This method is not limited to a specific EDR vendor. Any user-mode process can be targeted, including various antivirus solutions, monitoring agents, and other critical security tools.
Protecting Your Systems: Detection and Mitigation Strategies
Defending against an attack that uses legitimate system tools requires a more nuanced approach than simply blocking known malicious files. Security teams must focus on behavior and context rather than just identity.
Here are actionable steps to help detect and mitigate this threat:
- Monitor for Anomalous Process Behavior: The key to detection is context. While
WerFault.exerunning is normal, it should not be targeting a healthy, critical security process. Implement security monitoring that can detect unusual parent-child process relationships or instances whereWerFault.exeis invoked against security agents without a legitimate crash event. - Scrutinize Command-Line Arguments: Malicious use of
WerFault.exeoften involves specific command-line parameters to initiate the memory dump and suspension. Security teams should actively hunt for suspiciousWerFault.exeexecutions and analyze the arguments passed to it. - Implement Behavioral Analytics: Modern security platforms that focus on behavioral analytics are better equipped to handle LotL threats. These systems can establish a baseline of normal activity and flag deviations, such as a system utility unexpectedly interacting with a security tool.
- Maintain a Layered Defense: Relying solely on one security tool is a significant risk. A layered defense-in-depth strategy, including network monitoring, access controls, and regular threat hunting, ensures that even if one layer is bypassed, others may still detect the malicious follow-on activity.
Ultimately, the abuse of the Windows Error Reporting service is a powerful reminder that attackers will always seek to weaponize the tools already available to them. For defenders, this reinforces the critical need to move beyond simple signature-based detection and embrace a more proactive, behavior-focused approach to cybersecurity.
Source: https://www.bleepingcomputer.com/news/security/new-edr-freeze-tool-uses-windows-wer-to-suspend-security-software/
