EDR-Freeze: The New Way Attackers are Getting into Your Network

Following the disclosure of “EDR-Freeze,” a new technique that can suspend endpoint detection and response (EDR) tools and antivirus software indefinitely, cybersecurity defenses are under renewed pressure.

EDR-Freeze marks a critical escalation, alongside other sophisticated evasion methods –such EDR Killers and Bring Your Own Vulnerable Driver (BYOVD) attacks– as adversaries relentlessly seek new and creative ways to evade or disable security software.

What is EDR-Freeze?

Created by security researcher TwoSevenOneThree, also known as Zero Salarium, as a proof-of-concept tool, EDR-Freeze exploits the interaction between two Windows Error Reporting (WER) processes to evade many security tools, including EDR and antivirus software.

The technique involves using the WerFaultSecure and Windows MiniDump WriteDump functions to stop security processes from detecting, providing alerts, or responding to malicious activity.

What distinguishes EDR-Freeze from previous EDR bypass methods is its reliance on legitimate system components. This makes it much harder to detect, since it doesn’t introduce anything suspicious; it looks like typical behavior.

How Modern NDR Helps Enterprises Maintain Visibility

Modern threat actors are sophisticated, well-funded, and patient. They continue to find innovative ways to bypass detection from your security controls and gain access to your network. EDR-Freeze is the latest reflection of this reality. Modern network detection and response (NDR) provides a crucial non-endpoint-dependent layer of defense that monitors network activity. Because attackers must continue to use the network after disabling an EDR agent, the network itself becomes an immutable source of truth — a record of activity that cannot be silenced or altered.

Detecting the Attackers’ Next Move

Modern NDR is uniquely positioned to detect attackers’ post-compromise actions after freezing the EDR agent. High-value indicators of an active threat actor include:

• Lateral movement
• Command-and-control (C2) communication
• Data exfiltration

Inherent Immunity to EDR Freeze

Modern NDR is structurally immune to the EDR-Freeze technique for two reasons.

First, NDR is agentless and passive, meaning that it does not rely on software agents installed on individual hosts to analyze network traffic.

Second, modern NDR analyzes network activity, including encrypted content from critical business applications protocols to create behavioral baselines for every user and device, independent of the host’s EDR status.

The ExtraHop Advantage

When an EDR agent freezes, it is blind to any malicious activity on that device. The ExtraHop NDR platform provides the freeze-proof visibility your team needs, spotting malicious activity with:

• Strategic decryption: ExtraHop provides the ability to perform full-spectrum analysis on encrypted traffic, removing attackers’ preferred method of bypassing other NDR tools.
• Protocol fluency: ExtraHop is fluent in 90+ network protocols, ensuring that the use of non-standard or legitimate application channels doesn’t mask the malicious actions.
• AI and cloud-scale machine learning: ExtraHop provides the elastic compute power and storage necessary for the massive, ever-growing amount of data your network generates, meaning a more accurate baseline for behavior analysis. If a frozen EDR device starts communicating with a suspicious external IP, or attempts lateral movement, ExtraHop immediately flags this activity as a significant deviation from the established baseline, generating a high-fidelity alert.
• Forensic visibility: You can investigate the severity and scope of any malicious activity anywhere in your multi-cloud or hybrid network with packet-level visibility of every conversation between devices.

What CISOs Should Do Next

EDR-Freeze points to the fact that even well-established tools can be rendered ineffective when adversaries evolve. Nonetheless, EDR remains as a cornerstone of defense. Rather than replacing it, the path forward is to reinforce it with comprehensive, independent sources of truth that provide additional context and signal. When NDR is leveraged alongside endpoint data, your security teams get a comprehensive view of all network activity.

Prioritize solutions that offer deep, bi-directional integration, enabling seamless information sharing and automated response actions across both your EDR and NDR platforms. This unified strategy effectively helps close the blind spots exposed by techniques like EDR-Freeze, providing higher confidence that your organization can stop breaches fast and outmaneuver adversaries.

Transform your security operations with an effective NDR and EDR strategy.