Detection logic:
To prevent or monitor whether EDR-Freeze is being used on the network, we should rely on the running parameters of WerFaultSecure. If it points to the PID of sensitive processes such as LSASS, Antivirus, or EDR agents, there is a high likelihood that further investigation is necessary.
threaded - newest
The author’s writeup: zerosalarium.com/…/countering-edrs-with-backing-o…
Detection logic: To prevent or monitor whether EDR-Freeze is being used on the network, we should rely on the running parameters of WerFaultSecure. If it points to the PID of sensitive processes such as LSASS, Antivirus, or EDR agents, there is a high likelihood that further investigation is necessary.