Skip to content

fix: edr-freeze rules fps analysed from VT #5832

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
swachchhanda000 wants to merge 3 commits into
base: master
Choose a base branch
from
+45 −41
Open

fix: edr-freeze rules fps analysed from VT #5832

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
01e34c3
fix: edr-freeze rules fps analysed from VT
swachchhanda000 Jan 9, 2026
60523cf
fix: regression path
swachchhanda000 Jan 9, 2026
d4ab325
apply suggestions
swachchhanda000 Jan 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
0 ...8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx → ...8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx
View file
Open in desktop
File renamed without changes.
0 ...8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.json → ...8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.json
View file
Open in desktop
File renamed without changes.
2 changes: 1 addition & 1 deletion ...faultsecure_dbgcore_dbghelp_load/info.yml → ...faultsecure_dbgcore_dbghelp_load/info.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx
path: regression_data/rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx
38 changes: 38 additions & 0 deletions ...-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
title: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
related:
- id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
type: similar
- id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
type: similar
status: experimental
description: |
Detects the loading of dbgcore.dll or dbghelp.dll by WerFaultSecure.exe, which has been observed in EDR-Freeze attacks to suspend processes and evade detection.
However, this behavior has also been observed during normal software installations, so further investigation is required to confirm malicious activity.
When threat hunting, look for this activity in conjunction with other suspicious processes starting, network connections, or file modifications that occur shortly after the DLL load.
Pay special attention to timing - if other malicious activities occur during or immediately after this library loading, it may indicate EDR evasion attempts.
Also correlate with any EDR/AV process suspension events or gaps in security monitoring during the timeframe.
references:
- https://github.com/TwoSevenOneT/EDR-Freeze
- https://blog.axelarator.net/hunting-for-edr-freeze/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
modified: 2026-01-09
tags:
- attack.defense-evasion
- attack.t1562.001
- detection.threat-hunting
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\WerFaultSecure.exe'
ImageLoaded|endswith:
- '\dbgcore.dll'
- '\dbghelp.dll'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/info.yml
5 changes: 3 additions & 2 deletions rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ references:
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
modified: 2026-01-09
tags:
- attack.credential-access
- attack.t1003
Expand All @@ -29,9 +30,9 @@ detection:
- ':\Users\Public\'
- '\$Recycle.Bin\'
- '\Contacts\'
- '\Desktop\'
# - '\Desktop\'
- '\Documents\'
- '\Downloads\'
# - '\Downloads\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
Expand Down
35 changes: 0 additions & 35 deletions rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load.yml
View file
Open in desktop

This file was deleted.

4 changes: 2 additions & 2 deletions rules/windows/process_creation/proc_creation_win_hktl_wsass.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ references:
- https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-23
modified: 2026-01-09
tags:
- attack.credential-access
- attack.t1003.001
Expand All @@ -23,8 +24,7 @@ detection:
selection_cli:
# change to |re|i after Sigma v2.0 release
# plain string without quotation marks as it has to match for both ' and "
CommandLine|re: (?i)\.exe[\"\']?\s+.{12,64}[\"\']?\s+\d{2,10} # wsass.exe "path to werfaultsecure" lsass_pid
CommandLine|contains: 'werfaultsecure'
CommandLine|re: (?i)\.exe[\"\']?\s+[^\"]{,64}werfaultsecure\.exe[\"\']?\s+\d{2,10} # wsass.exe "path to werfaultsecure" lsass_pid
condition: 1 of selection_*
falsepositives:
- Unlikely
Expand Down
Loading