Currently, in addition to merely focusing on avoiding scrutiny from EDRs (Endpoint Detection and Response) and antivirus, attackers are increasingly turning to BYOVD (Bring Your Own Vulnerable Driver) techniques to disable security products by exploiting vulnerable drivers.
The biggest drawback of BYOVD lies in finding, installing, and executing those vulnerable drivers. A more straightforward approach exploits vulnerabilities in existing Windows drivers.
In this article, instead of introducing external drivers, we demonstrate how to leverage Windows Error Reporting to suspend antivirus and EDR processes entirely in user mode without requiring third-party tools.
Understanding MiniDumpWriteDump
The MiniDumpWriteDump function from the Windows DbgHelp library is intended to capture a minidump—a snapshot of a process’s memory and state for debugging.
Internally, it suspends all threads in the target process to ensure memory consistency during the dump.
This suspension, however, can be weaponized: if an attacker invokes MiniDumpWriteDump from an external process, the target process remains frozen until the dump completes.
By extending the function’s execution time, the attacker can effectively “coma-state” the target indefinitely.
Since Microsoft recommends invoking MiniDumpWriteDump externally to avoid deadlocks in the crashing process itself, attackers already have the privilege context necessary to suspend high-value processes such as LSASS or antimalware engines.
Leveraging WerFaultSecure and PPL for Protection Bypass
EDR and antivirus processes are typically protected under Protected Process Light (PPL), preventing unauthorized handles for operations like suspension.
However, the WerFaultSecure.exe program supports WinTCB-level PPL protection and can invoke MiniDumpWriteDump on arbitrary processes when supplied with reverse-engineered parameters.
By launching WerFaultSecure via a CreateProcessAsPPL helper tool, attackers bypass PPL restrictions.
Furthermore, specifying the CREATE_SUSPENDED flag when creating the child process ensures WerFaultSecure itself can be suspended immediately after it triggers the dump.
Once WerFaultSecure initiates MiniDumpWriteDump on the target process, suspending WerFaultSecure leaves the target forever frozen, because the only process capable of resuming it is now paused.
This race-condition attack hinges on rapid status checks of the target process and timely invocation of the undocumented NtSuspendProcess API.
EDR-Freeze in Action and Defensive Considerations
To streamline this technique, I developed EDR-Freeze, a user-mode tool that automates the steps: launch WerFaultSecure as PPL, supply dump parameters for a specified PID, poll the target until suspended, then suspend WerFaultSecure to “lock” the target process.
EDR-Freeze accepts two parameters: the PID to freeze and the freeze duration in milliseconds. In a proof-of-concept, EDR-Freeze successfully suspended Windows Defender’s MsMpEng.exe for 5000 ms on Windows 11 24H2, observable via Process Explorer.
Practical use cases include temporarily disabling EDR or antivirus components to perform high-risk operations, then allowing normal operation to resume.
With BYOVD attacks on the rise, defensive measures must evolve. Organizations should monitor for anomalous WerFaultSecure invocations, especially when pointed at sensitive PIDs like LSASS, antivirus, or EDR agents.
Logging and alerting on suspicious MiniDumpWriteDump activity, implementing process-integrity monitoring, and applying least-privilege controls on error-reporting utilities can help detect and mitigate EDR-Freeze attempts.
Continuous vigilance and adaptive security policies remain key to countering emerging process-suspension techniques.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
%20(1)%20(1).webp?resize=1600,900&ssl=1&description=The biggest drawback of BYOVD lies in finding, installing, and executing those vulnerable drivers. A more straightforward approach exploits vulnerabilities in existing Windows drivers.){kind=link}