DON’T FREEZE ME OUT, BRO! ARC Labs Technical Analysis of EDR-Freeze

EDR-Freeze is a proof-of-concept demonstrating a reliable technique to suspend and dump PPL-protected endpoint security processes by creating a protected dumper process (via PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL and CREATE_PROTECTED_PROCESS), passing inheritable dump handles, enabling SeDebugPrivilege, and using timing/race logic to keep targets suspended; the report details key modules and literals (e.g., '/type 268310', '/encfile', '/cancel', 't.txt'), high-fidelity detection opportunities, and operational defensive recommendations to collect process attributes, file events, process access telemetry, and correlate agent heartbeat gaps.