Aon’s Stroz Friedberg Incident Response Services has uncovered a method used by a threat actor to bypass SentinelOne Endpoint Detection and Response (EDR) protections, ultimately deploying a variant of the notorious Babuk ransomware.
SentinelOne EDR, a widely-used endpoint protection solution, is designed to detect and block threats with robust anti-tamper mechanisms that prevent unauthorized disabling of its agent.
However, during an incident investigation, Stroz Friedberg discovered that a vulnerability in the local upgrade/downgrade process of the SentinelOne agent could be exploited, leaving endpoints unprotected.
.png
)
The threat actor gained local administrative access on a publicly accessible server by exploiting a known CVE in a running application, subsequently disabling the EDR agent without needing the anti-tamper code.
Forensic Insights and Testing Reveal Critical Flaw
Forensic analysis by Stroz Friedberg revealed a series of suspicious activities, including the creation of multiple legitimate, signed SentinelOne installer files and rapid product version changes logged over a 10-minute period.
Event logs showed commands to unload the agent and installer exits, alongside other indicators like service stop/start events and local firewall changes. Notably, no malicious or vulnerable drivers were involved in the bypass.
Testing conducted on a Windows 2022 Server virtual machine with SentinelOne version 23.4.6.223 confirmed the exploit: during an upgrade initiated via an MSI installer, Stroz Friedberg observed a brief window where all SentinelOne processes were terminated before new ones spawned.
By interrupting the process with a taskkill command on msiexec.exe, the team effectively left the system without EDR protection, a state reflected as “offline” in the SentinelOne management console.
This bypass proved consistent across multiple agent versions, highlighting a systemic issue in the local upgrade process when not properly secured.
The impacted environment lacked the critical “online authorization” feature for upgrades at the time of the attack, a setting that Stroz Friedberg later verified as a successful mitigation during subsequent tests.
Swift Response and Industry-Wide Collaboration
Upon identifying this critical vulnerability, Stroz Friedberg promptly reported their findings to SentinelOne, who responded with actionable guidance for customers.
SentinelOne’s “Online Authorization” feature, accessible via the Sentinel Policy menu, disables local upgrades and downgrades, effectively blocking this bypass method when enabled.
Originally not set by default during the investigation, this setting has proven essential in safeguarding endpoints.
In a commendable move, SentinelOne also collaborated with Stroz Friedberg to privately disclose this attack pattern to other EDR vendors, allowing them to assess and fortify their solutions before public revelation.
As of this report, no EDR vendor, including SentinelOne, appears vulnerable to this specific attack when configured correctly.
Customers are strongly urged to review and implement SentinelOne’s remediation guidance, ensuring the “Online Authorization” feature is activated to prevent similar exploits.
This incident underscores the evolving sophistication of threat actors and the importance of rigorous configuration and timely updates in endpoint security solutions, reminding organizations to remain vigilant against such targeted bypass techniques.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
