LoFP LoFP / legitimate usage of werfaultsecure for debugging purposes

Techniques

Sample rules

Suspicious Process Suspension via WERFaultSecure through EDR-Freeze

Description

Detects attempts to freeze a process likely an EDR or an antimalware service process through EDR-Freeze that abuses the WerFaultSecure.exe process to suspend security software.

Detection logic

condition: all of selection_*
selection_args:
  CommandLine|contains|all:
  - ' /h '
  - ' /pid '
  - ' /tid '
  - ' /encfile '
  - ' /cancel '
  - ' /type '
  - ' 268310'
selection_image:
- Image|endswith: \WerFaultSecure.exe
- OriginalFileName: WerFaultSecure.exe