A new “Bring Your Own Installer” technique has been discovered to bypass SentinelOne’s tamper protection. This vulnerability allows attackers to disable endpoint detection and response (EDR) agents, making systems vulnerable to ransomware attacks like Babuk. The bypass targets a gap in the agent upgrade process, where threat actors can terminate running EDR agents, leaving devices unprotected. Researchers from Aon’s Stroz Friedberg Incident Response team identified this vulnerability during their investigation of a customer’s ransomware attack.
Unlike typical EDR bypasses that rely on third-party tools, this technique exploits the SentinelOne installer itself. The attack occurs when the SentinelOne installer terminates any running processes before installing a new agent version. Attackers can exploit this brief window by running the legitimate installer and terminating it early, which disables the EDR protection.
With the agent disabled, the attackers can install ransomware without interference from SentinelOne’s security measures.
SentinelOne recommends enabling the “Online Authorization” feature to mitigate this vulnerability, though it is disabled by default. Enabling this feature would require approval from the management console before local upgrades or uninstalls of the agent occur. Despite the recommendation, Stroz Friedberg’s team observed that many clients still had this protection disabled after the disclosure.
The researchers emphasized the importance of spreading awareness so SentinelOne customers can secure their systems against this attack vector.
Further investigation by Stroz Friedberg showed that this attack is not version-dependent and can be carried out with both old and new versions of the SentinelOne agent. After the attacker terminates the installer, the affected host appears offline in the SentinelOne management console. SentinelOne shared mitigations with customers in January 2025 and disclosed the issue to other major EDR vendors. Palo Alto Networks confirmed that its EDR solution was not affected by this vulnerability.
Reference:
