SentinelOne EDR Bypassed By Hackers Using EDR Upgrade Flaw

By /
sentinelone edr

Cyber experts have disclosed a new method that allows hackers to bypass SentinelOne’s Endpoint Detection and Response (EDR) system, putting protected devices at risk. The report, published by Aon’s Stroz Friedberg Incident Response team on May 5, highlights a serious technique that attackers are actively using in the wild.

SentinelOne is one of the most widely used EDR solutions globally, providing real-time protection against malware, ransomware, and unauthorized access. However, like all security software, it is not immune to sophisticated exploitation.

The Technique: “Bring Your Own Installer”

The newly discovered method is called “Bring Your Own Installer” (BYOI). It works by taking advantage of a flaw in how the SentinelOne agent is upgraded or downgraded. During this process, there is a brief period when all SentinelOne security processes are terminated before being restarted. Attackers exploit this window to disable protection and execute malware without being detected.

In one case studied by the Stroz Friedberg team, a hacker used this technique to gain administrative access and bypass EDR protection. The attacker then deployed a version of the Babuk ransomware, a well-known form of malware that encrypts victims’ files and demands a ransom payment.

How the EDR Bypass Works

Normally, SentinelOne’s EDR has anti-tamper protection, a security feature that prevents unauthorized users from turning off or uninstalling the agent. To remove or update the agent, users typically need either a unique code or must do it from the SentinelOne management console.

However, researchers observed that an attacker exploited a vulnerability in another application running on a public-facing server. Using this access, they obtained local administrator privileges on a system that had SentinelOne EDR installed.

With admin access, the attacker triggered a version change of the SentinelOne agent using two legitimate installer files:

  • SentinelOneInstaller_windows_64bit_v23_4_4_223.exe

  • SentinelInstaller_windows_64bit_v23_4_6_347.msi

This led to several digital forensic clues, such as:

  • Logs of file creation for multiple versions of the SentinelOne agent

  • Scheduled task updates

  • Stopped and restarted services

  • Firewall configuration changes

Proof-of-Concept and Technical Details

To confirm the vulnerability, researchers created a test environment using a Windows Server 2022 virtual machine with SentinelOne version 23.4.6.223 installed.

They performed a manual upgrade of the agent using the MSI installer file. During the process, SentinelOne terminated its running processes for around 55 seconds before starting the new version. Researchers then ran a command to kill the upgrade process (msiexec.exe) during this window. As a result:

  • The upgrade was incomplete

  • SentinelOne did not restart

  • The device was left completely unprotected

  • The endpoint went offline in the SentinelOne console

This left the door open for any attacker with admin access to carry out malicious actions unnoticed.

cyber

SentinelOne Mitigation Measures

After being informed of the flaw, SentinelOne took immediate action. The company released security recommendations and feature updates to help customers defend against this technique.

Recommended Security Measures:

  1. Enable the Local Agent Passphrase (this is turned on by default): This prevents anyone from uninstalling or modifying the agent without authorization.

  2. Use Local Upgrade Authorization: This ensures that any upgrades must be approved through the SentinelOne management console.

Additionally, SentinelOne announced that all new customer accounts will have the Local Upgrade Authorization setting enabled by default, providing extra protection against unauthorized changes.

Disclosure and Industry Impact

SentinelOne also collaborated with other EDR vendors by sharing details of the attack in a private disclosure before the public release. This helped other cybersecurity companies check their own products and strengthen their protections.

Aon’s report noted that, as of the time of publication, no EDR vendors are vulnerable to this technique if their solutions are configured properly. Still, the case serves as a critical reminder of the importance of secure configuration and monitoring.

EDR Isn’t Foolproof – Stay Vigilant

This latest discovery shows that even advanced cybersecurity solutions like SentinelOne can be bypassed under certain conditions. Attackers are constantly looking for new ways to gain control over systems, and even legitimate software tools can be used for malicious purposes.

To stay secure:

  • Always keep EDR software up to date

  • Follow vendor recommendations for best practices

  • Limit administrative access

  • Monitor for unusual agent upgrades or version changes

While SentinelOne acted quickly to address the vulnerability, organizations should treat this as a wake-up call to review and tighten their endpoint security configurations.

Follow us on x twitter (Twitter) for real time updates and exclusive content.

Interesting Article : CVE-2024-7399, Critical Samsung MagicINFO Server RCE Flaw Exploited

1 thought on “SentinelOne EDR Bypassed By Hackers Using EDR Upgrade Flaw”

  1. Pingback: UN Launches UNIDIR Cyber-Attack Framework to Simplify Cyber Attack Analysis

Comments are closed.

Scroll to Top