A brand new “Convey Your Personal Installer” EDR bypass method is exploited in assaults to bypass SentinelOne’s tamper safety function, permitting risk actors to disable endpoint detection and response (EDR) brokers to put in the Babuk ransomware.
This method exploits a niche within the agent improve course of that enables the risk actors to terminate operating EDR brokers, leaving units unprotected.
The assault was found by John Ailes and Tim Mashni of Aon’s Stroz Friedberg Incident Response crew throughout an engagement with a buyer who suffered a ransomware assault earlier this 12 months.
The method doesn’t depend on third-party instruments or drivers like we usually see with EDR bypasses however as an alternative abuses the SentinelOne installer itself.
SentinelOne recommends prospects allow the “On-line Authorization” setting, which is turned off by default, to mitigate this assault.
“We wish to get the phrase out to make sure SentinelOne’s prospects know to allow Native Improve safety,” John Ailes, Supervisor, Aon’s Stroz Friedberg DFIR, advised BleepingComputer.
“We have investigated environments with SentinelOne since their steerage was despatched to prospects and have seen purchasers that also haven’t got it enabled. On the finish of the day, getting the phrase out to mitigate this bypass is a very powerful factor.”
Actively exploited in ransomware assaults
The Stroz Friedberg researchers clarify that SentinelOne protects its EDR agent with an anti-tamper safety function that requires a guide motion within the SentinelOne administration console or a singular code to take away an agent.
Nonetheless, like many different software program installers, when putting in a unique model of the agent, the SentinelOne installer terminates any related Home windows processes simply earlier than present information are overwritten with the brand new model.
Risk actors found they may exploit this small window of alternative by operating a official SentinelOne installer after which forcefully terminating the set up course of after it shuts down the operating agent’s companies, leaving units unprotected.
Supply: Stroz Friedberg
Earlier this 12 months, Stroz Friedberg was engaged to research an assault on a buyer’s community, with logs exhibiting that the attackers gained administrative entry to the client’s community by means of a vulnerability.
The attackers then used this new bypass by terminating the SentinelOne Home windows Installer (“msiexec.exe“) course of earlier than it may set up and launch the brand new model of the agent. With protections disabled on the system, the risk actors had been then in a position to deploy the ransomware.
In a dialog with BleepingComputer, Ailes mentioned that risk actors can make the most of new or older variations of the agent to conduct this assault, so even when the newest model runs on units, they’re nonetheless weak.
“Stroz Friedberg additionally noticed that the host went offline within the SentinelOne administration console shortly after the installer was terminated,” warns Stroz Friedberg’s report.
“Additional testing confirmed that the assault was profitable throughout a number of variations of the SentinelOne agent and was not depending on the particular variations noticed on this incident.”
Stroz Friedberg responsibly disclosed this assault to SentinelOne, who privately shared mitigations with prospects in January 2025.
The mitigation is to allow the “On-line Authorization” function within the Sentinel Coverage settings that, when enabled, requires approval from the SentinelOne administration console earlier than native upgrades, downgrades, or uninstalls of the agent can happen.
SentinelOne additionally shared Stroz Friedberg’s advisory on this new method with all different main EDR distributors, in case they had been additionally affected.
Palo Alto Networks confirmed to Stroz Friedberg that this assault didn’t influence its EDR software program.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and easy methods to defend in opposition to them.
