Techniques
Sample rules
Suspicious Process Suspension via WERFaultSecure through EDR-Freeze
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects attempts to freeze a process likely an EDR or an antimalware service process through EDR-Freeze that abuses the WerFaultSecure.exe process to suspend security software.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- ' /h '
- ' /pid '
- ' /tid '
- ' /encfile '
- ' /cancel '
- ' /type '
- ' 268310'
Image: C:\Windows\System32\WerFaultSecure.exe