Detection logic:
To prevent or monitor whether EDR-Freeze is being used on the network, we should rely on the running parameters of WerFaultSecure. If it points to the PID of sensitive processes such as LSASS, Antivirus, or EDR agents, there is a high likelihood that further investigation is necessary.
The author’s writeup: https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html
Detection logic: To prevent or monitor whether EDR-Freeze is being used on the network, we should rely on the running parameters of WerFaultSecure. If it points to the PID of sensitive processes such as LSASS, Antivirus, or EDR agents, there is a high likelihood that further investigation is necessary.