How EDR-Freeze Turns Windows Debugging into a Weapon Against Antivirus and EDR

It has been over two years since the distribution of the PPL-Blade and Terminator tools, which leveraged the Bring-Your-Own-Vulnerable-Driver (BYOVD) technique for malicious purposes.
The more recent EDR-Freeze tool introduces a cutting-edge approach: a stealthy, user-mode attack that abuses the Windows debugging utility WerFaultSecure.exe to place PPL-protected processes into an indefinite “freeze state”. This novel technique allows attackers to achieve malicious objectives while sidestepping the traditional reliance on BYOVD or kernel-level exploits.