Views:

Attack Overview
 

The EDR-Freeze tool represents a significant evolution in EDR evasion techniques because no kernel drivers are required. Unlike traditional “Bring your own vulnerable driver” (BYOVD) attacks, this method operates entirely in user mode and uses built-in Windows functionality to put EDR processes into a “coma” like state rather than terminating them.

 

TrendAI Vision One’s Protection Against EDR-Freeze
 

TrendAI Vision One customers have a multi-layered process protection defense in the form of the security agent self-protection mechanisms built into TrendAI™’s endpoint and cloud protection solutions. These mechanisms prevent EDR-Freeze from placing the security agent into the suspended state to proceed with malicious activity.
In addition to the agent self-protection mechanisms, TrendAI Vision One solutions also employ advanced detection capabilities such as behavior analysis for WER abuse detection, memory & dump protection, and network-based protection.



Threat Insights

TrendAI Vision One Threat Insights provide threat intelligence curated by TrendAI™ experts that administrators can base critical security decisions on with timely reports on emerging threats.


A screenshot of a computer<br><br>AI-generated content may be incorrect.

 

Utilizing Observed Attack Techniques (OAT)
 

TrendAI Vision One customers that use TrendAI™ endpoint and server protection products may go into the Observed Attack Techniques section of the TrendAI Vision One console to look for suspicious activity that may indicate the detection of malicious behavior associated with this threat.

Potential indicators include:

  • Potential EDR Evasion via Windows Error Reporting Abuse (High)
  • Suspicious Dump File Creation via Hacktool (Medium)
  • EDR-Freeze Execution (Low)
As well as a Workbench Alert:
  • Potential EDR Evasion via Windows Error Reporting Abuse (High)


 

Vision One Component Specific Details
 

  • TrendAI Vision One Endpoint Security (Standard Endpoint Protection environments) and TrendAI™ Apex One (legacy) customers automatically have self-protection enabled for agents and are already protected.
  • TrendAI Vision One Endpoint Security users will want to ensure that the endpoint sensor/EDR capabilities are deployed for protection.
  • TrendAI Vision One Endpoint Security (Server Workload protection environments) and TrendAI™ Cloud One – Workload Security (legacy) Agents should have at least one or more of the following policies enabled for protection: Antimalware / Device Control / Application Control / Integrity Monitoring.

To ensure optimal configurations, customers will also want to ensure they have the latest endpoint and server endpoint agent versions and the latest pattern and protection updates.


Customers who may require assistance verifying or enabling this protection are encouraged to contact their authorized TrendAI™ technical support representative.

Keywords: edr-freeze attack protection, trendai vision one edr evasion, windows error reporting suspension exploit, werfaultsecure.exe process protection, user-mode security bypass mitigation, trend micro xdr behavioral analysis, endpoint protection anti-tampering