LoFP LoFP / legitimate usage of werfaultsecure for debugging purposes

Techniques

Sample rules

Suspicious Process Suspension via WERFaultSecure through EDR-Freeze

Description

Detects attempts to freeze a process likely an EDR or an antimalware service process through EDR-Freeze that abuses the WerFaultSecure.exe process to suspend security software.

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - ' /h '
  - ' /pid '
  - ' /tid '
  - ' /encfile '
  - ' /cancel '
  - ' /type '
  - ' 268310'
  Image: C:\Windows\System32\WerFaultSecure.exe