Ethical Hacking News
A new "Bring Your Own Installer" EDR bypass technique used by threat actors allows them to disable endpoint detection and response (EDR) agents, leaving devices vulnerable to ransomware attacks. SentinelOne has recommended a mitigation measure: enabling the "Online Authorization" setting in policy settings.
Researchers at Aon's Stroz Friedberg Incident Response team discovered a new technique used by threat actors to bypass SentinelOne's tamper protection feature. The technique exploits a gap in the agent upgrade process, disabling endpoint detection and response (EDR) agents in ransomware attacks. Threat actors use this bypass technique to install ransomware, such as Babuk, on compromised devices. SentinelOne's installer program has a vulnerability that allows attackers to shut down the EDR agent's services, leaving devices vulnerable. The discovery highlights a fundamental weakness in security architecture of many EDR solutions. Enabling "Online Authorization" setting in policy settings can mitigate this risk and prevent attackers from using this bypass technique.
In a recent development that has sent shockwaves through the cybersecurity community, researchers at Aon's Stroz Friedberg Incident Response team have discovered a new and innovative technique used by threat actors to bypass SentinelOne's tamper protection feature. The technique, which involves exploiting a gap in the agent upgrade process to disable endpoint detection and response (EDR) agents, has been found to be actively exploited in ransomware attacks.
According to John Ailes, Manager of Aon's Stroz Friedberg Incident Response team, who led the investigation into this new technique, the method was discovered during an engagement with a customer who had suffered a ransomware attack earlier this year. The researchers were able to track down the attackers and determine that they had used this bypass technique to install the Babuk ransomware on the compromised device.
The way in which this technique works is quite fascinating, if not also somewhat concerning. It appears that threat actors have discovered a vulnerability in SentinelOne's installer program, specifically in the process of upgrading or downgrading the EDR agent. When an attacker runs the legitimate SentinelOne installer and then forcefully terminates it before it can complete its installation process, they are able to shut down the running EDR agent's services, leaving the device vulnerable to further attacks.
This is particularly concerning because it highlights a fundamental weakness in the security architecture of many EDR solutions. The fact that an attacker does not need to rely on third-party tools or drivers to bypass EDR protection underscores the need for more robust and integrated security measures across all endpoint detection and response systems.
In order to mitigate this risk, SentinelOne has recommended that its customers enable the "Online Authorization" setting in their policy settings. When enabled, this feature requires approval from the management console before local upgrades, downgrades, or uninstalls of the agent can occur, thereby preventing an attacker from using this bypass technique.
The researchers at Stroz Friedberg have shared SentinelOne's advisory on this new technique with all other major EDR vendors in order to ensure that they are also aware and able to mitigate this risk. This includes Palo Alto Networks, which has confirmed to the researchers that it was not affected by this particular attack.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Bring-Your-Own-Installer-EDR-Bypass-Technique-Exploited-in-Ransomware-Attacks-ehn.shtml
Published: Mon May 5 15:38:42 2025 by llama3.2 3B Q4_K_M
