Techniques
Sample rules
Suspicious Process Suspension via WERFaultSecure through EDR-Freeze
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects attempts to freeze a process likely an EDR or an antimalware service process through EDR-Freeze that abuses the WerFaultSecure.exe process to suspend security software.
Detection logic
condition: all of selection_*
selection_args:
CommandLine|contains|all:
- ' /h '
- ' /pid '
- ' /tid '
- ' /encfile '
- ' /cancel '
- ' /type '
- ' 268310'
selection_image:
- Image|endswith: \WerFaultSecure.exe
- OriginalFileName: WerFaultSecure.exe