Hacker Finds New Technique to Bypass SentinelOne EDR Solution
Summary:
A new report released on May 5th by researchers at Aon's Stroz Friedberg Incident Response Services detailed a novel "Bring Your Own Installer" technique that threat actors can exploit to bypass SentinelOne's EDR solution. This method leverages a vulnerability within the SentinelOne agent's upgrade/downgrade process, creating a temporary time window that provides an unprotected endpoint. Researchers observed a threat actor using this technique after gaining local administrative access to deploy a variant of the Babuk ransomware. The threat actor gained local administrative access on a publicly accessible server through exploitation of a CVE in an application running on the server. The bypass involves the creation of multiple legitimate SentinelOne installer files and manipulation of the upgrade/downgrade process, specifically interrupting the upgrade by terminating the associated “msiexec.exe” process. Because the old version SentinelOne processes were terminated during the upgrade, and the new processes were interrupted before spawning, the final result was a system without SentinelOne protection. SentinelOne has since provided mitigation steps to its customers, including enabling the Local Update Authorization feature by default for new users.
Security Officer Comments:
The discovery of this "Bring Your Own Installer" bypass technique against a widely used EDR like SentinelOne highlights threat actors’ drive to research prominent cyber defense solutions to exploit them. While the vulnerability lies within the upgrade/downgrade mechanism and requires prior local administrative access, its successful exploitation to deploy ransomware underscores the severity of the attack. The fact that a threat actor was observed using this in the wild emphasizes the practical risk and the urgency with which organizations with potential EDR misconfigurations should apply mitigations. SentinelOne's prompt response in providing mitigation steps and proactively sharing information with other EDR vendors is commendable and reflects a collaborative cybersecurity community. However, organizations using SentinelOne must urgently review and implement the recommended mitigations to ensure their endpoints remain protected against this specific attack vector. This incident serves as a critical reminder that even sophisticated security solutions can have vulnerabilities, and that proactive monitoring, threat research, and timely patching remain essential.
Suggested Corrections:
SentinelOne has mitigated unapproved agent upgrades through the Local Upgrade Authorization feature, which has been available to customers since January 19, 2025. SentinelOne customers can access information about this feature in the password-protected SentinelOne documentation site here. When Local Upgrade Authorization is enabled, any attempt by a user to locally upgrade Windows agents is blocked. Customers can also optionally choose to enable local upgrades during predefined time windows. Use SentinelOne’s local agent passphrase (enabled by default) to prevent unauthorized agent uninstalls and protect against unauthorized agent upgrades.
Link(s):
https://www.infosecurity-magazine.com/news/new-technique-bypass-sentinelone/
https://www.aon.com/en/insights/cyber-labs/bring-your-own-installer-bypassing-sentinelone
https://www.sentinelone.com/blog/protection-against-local-upgrade-technique-described-in-aon-research/
A new report released on May 5th by researchers at Aon's Stroz Friedberg Incident Response Services detailed a novel "Bring Your Own Installer" technique that threat actors can exploit to bypass SentinelOne's EDR solution. This method leverages a vulnerability within the SentinelOne agent's upgrade/downgrade process, creating a temporary time window that provides an unprotected endpoint. Researchers observed a threat actor using this technique after gaining local administrative access to deploy a variant of the Babuk ransomware. The threat actor gained local administrative access on a publicly accessible server through exploitation of a CVE in an application running on the server. The bypass involves the creation of multiple legitimate SentinelOne installer files and manipulation of the upgrade/downgrade process, specifically interrupting the upgrade by terminating the associated “msiexec.exe” process. Because the old version SentinelOne processes were terminated during the upgrade, and the new processes were interrupted before spawning, the final result was a system without SentinelOne protection. SentinelOne has since provided mitigation steps to its customers, including enabling the Local Update Authorization feature by default for new users.
Security Officer Comments:
The discovery of this "Bring Your Own Installer" bypass technique against a widely used EDR like SentinelOne highlights threat actors’ drive to research prominent cyber defense solutions to exploit them. While the vulnerability lies within the upgrade/downgrade mechanism and requires prior local administrative access, its successful exploitation to deploy ransomware underscores the severity of the attack. The fact that a threat actor was observed using this in the wild emphasizes the practical risk and the urgency with which organizations with potential EDR misconfigurations should apply mitigations. SentinelOne's prompt response in providing mitigation steps and proactively sharing information with other EDR vendors is commendable and reflects a collaborative cybersecurity community. However, organizations using SentinelOne must urgently review and implement the recommended mitigations to ensure their endpoints remain protected against this specific attack vector. This incident serves as a critical reminder that even sophisticated security solutions can have vulnerabilities, and that proactive monitoring, threat research, and timely patching remain essential.
Suggested Corrections:
SentinelOne has mitigated unapproved agent upgrades through the Local Upgrade Authorization feature, which has been available to customers since January 19, 2025. SentinelOne customers can access information about this feature in the password-protected SentinelOne documentation site here. When Local Upgrade Authorization is enabled, any attempt by a user to locally upgrade Windows agents is blocked. Customers can also optionally choose to enable local upgrades during predefined time windows. Use SentinelOne’s local agent passphrase (enabled by default) to prevent unauthorized agent uninstalls and protect against unauthorized agent upgrades.
Link(s):
https://www.infosecurity-magazine.com/news/new-technique-bypass-sentinelone/
https://www.aon.com/en/insights/cyber-labs/bring-your-own-installer-bypassing-sentinelone
https://www.sentinelone.com/blog/protection-against-local-upgrade-technique-described-in-aon-research/