From cc910b5314431ea4d51444f46b73d7aea9fc9289 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Fri, 26 Sep 2025 20:14:51 +0000
Subject: [PATCH] Sigma Rule Update (2025-09-26  20:14:44) (#97)

Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
---
 config/security_rules.json | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/config/security_rules.json b/config/security_rules.json
index 3d54ca39..70347298 100644
--- a/config/security_rules.json
+++ b/config/security_rules.json
@@ -14347,6 +14347,23 @@
     ],
     "title": "Harvesting Of Wifi Credentials Via Netsh.EXE"
   },
+  {
+    "category": "process_creation",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects attempts to freeze a process likely an EDR or an antimalware service process through EDR-Freeze that abuses the WerFaultSecure.exe process to suspend security software.\n",
+    "event_ids": [
+      "4688"
+    ],
+    "id": "4bf1a6ac-2f14-c4e7-4339-5a28683aa92f",
+    "level": "high",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE922B-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "Suspicious Process Suspension via WERFaultSecure through EDR-Freeze"
+  },
   {
     "category": "process_creation",
     "channel": [