This detection rule targets the access events on the MsMpEng.exe process by WerFaultSecure.exe, particularly focusing on instances where the process access event contains call traces referencing dbgcore.dll or dbghelp.dll. Such a scenario indicates a potential use of EDR freeze techniques, aiming to evade detection by suspending endpoint detection and response (EDR) or antivirus (AV) processes. The WerFaultSecure.exe runs as a Protected Process Light (PPL) with a Windows Trusted Computing Base (WinTCB) security level, allowing it to invoke functions like MiniDumpWriteDump. This is typically executed to capture memory dumps of processes while simultaneously freezing the EDR/AV operations, enabling malicious activities to be performed in a stealthy manner during this frozen state. The rule is built to trigger on Sysmon Event ID 10, requiring a specific configuration that limits logging to only relevant events to avoid excessive log data generation, making it practical for analytic review.