New "Bring Your Own Installer" EDR bypass used in ransomware attack

New "Bring Your Own Installer" EDR bypass used in ransomware attack Home News Security New "Bring Your Own Installer" EDR bypass used in ransomware attack New "Bring Your Own Installer" EDR bypass used in ransomware attack By Lawrence Abrams May 5, 2025 04:28 PM 0 Update 5/6/25: Added new information from Sentinel One. A new "Bring Your Own Installer" EDR bypass technique is exploited in attacks to bypass SentinelOne's tamper protection feature, allowing threat actors to disable endpoint detection and response (EDR) agents to install the Babuk ransomware. This technique exploits a gap in the agent upgrade process that allows the threat actors to terminate running EDR agents, leaving devices unprotected. The attack was discovered by John Ailes and Tim Mashni of Aon's Stroz Friedberg Incident Response team during an engagement with a customer who suffered a ransomware attack earlier this year. The technique does not rely on third-party tools or drivers like we normally see with EDR bypasses but instead abuses the SentinelOne installer itself. SentinelOne recommends customers enable the "Online Authorization" setting, which is turned off by default, to mitigate this attack. "We want to get the word out to ensure SentinelOne's customers know to enable Local Upgrade protection," John Ailes, Manager, Aon's Stroz Friedberg DFIR, told BleepingComputer. "We've investigated environments with SentinelOne since their guidance was sent to customers and have seen clients that still don't have it enabled. At the end of the day, getting the word out to mitigate this bypass is the most important thing." Actively exploited in ransomware attacks The Stroz Friedberg researchers explain that SentinelOne protects its EDR agent with an anti-tamper protection feature that requires a manual action in the SentinelOne management console or a unique code to remove an agent. However, like many other software installers, when installing a different version of the agent, the SentinelOne installer terminates any associated Windows processes just before existing files are overwritten with the new version. Threat actors discovered they could exploit this small window of opportunity by running a legitimate SentinelOne installer and then forcefully terminating the install process after it shuts down the running agent's services, leaving devices unprotected. Bring Your Own Installer EDR bypass attack chain Source: Stroz Friedberg Earlier this year, Stroz Friedberg was engaged to investigate an attack on a customer's network, with logs showing that the attackers gained administrative access to the customer's network through a vulnerability. The attackers then used this new bypass by terminating the SentinelOne Windows Installer (" msiexec.exe ") process before it could install and launch the new version of the agent. With protections disabled on the device, the threat actors were then able to deploy the ransomware. In a conversation with BleepingComputer, Ailes said that threat actors can utilize new or older versions of the agent to conduct this attack, so even if the latest version runs on devices, they are still vulnerable. "Stroz Friedberg also observed that the host went offline in the SentinelOne management console shortly after the installer was terminated," warns Stroz Friedberg's report . "Further testing showed that the attack was successful across multiple versions of the SentinelOne agent and was not dependent on the specific versions observed in this incident." Stroz Friedberg responsibly disclosed this attack to SentinelOne, who privately shared mitigations with customers in January 2025. The mitigation is to enable the "Online Authorization" feature in the Sentinel Policy settings that, when enabled, requires approval from the SentinelOne management console before local upgrades, downgrades, or uninstalls of the agent can occur. SentinelOne also shared Stroz Friedberg's advisory on this new technique with all other major EDR vendors, in case they were also affected. Palo Alto Networks confirmed to Stroz Friedberg that this attack did not impact its EDR software. Update /5/6/25: After publishing this story, Sentinel One shared a statement confirming Stroz Friedberg's reporting and indicating that this technique poses a similar threat to other EDR vendors. "SentinelOne also shared Stroz's research with prominent EDR vendors, as the technique is one that could be applied against other endpoint protection products," reads Sentinel One's statement. "While such local access poses similar threats to anti-tampering for these EDR products, at large, Stroz went on to say that they have no 'knowledge of any EDR vendor, including SentinelOne, that is currently impacted by this attack when their product is properly configured.'" Sentinel One shared the following guidance to mitigate this attack: We have multiple ways to protect customers from this type of bypass. The local agent passphrase is enabled by default to prevent unauthorized agent uninstalls and can also be enabled to protect against unauthorized agent upgrades. We also offer a Local Upgrade Authorization feature to ensure upgrades are authenticated through the SentinelOne console, which is the recommended method to protect against this bypass. SentinelOne customers can access information about this feature here (password-protected site). If a customer has enabled 1a or 1b, they are fully protected from this bypass. This local upgrade protection configuration is not enabled by default for existing customers to ensure continuity of operations with existing deployment and upgrade workflows, notably in third-party tools, such as System Center Configuration Manager. The company confirmed to BleepingComputer that the Local Upgrade Authorization feature is the same "Online Authorization" setting previously mentioned. While this setting remains at its current state for existing Sentinel One customers, the company says they are now turning it on by default for new installations. Sentinel One also says they are communicating with customers again to advise that this setting should be enabled. BleepingComputer asked Sentinel One if they could share the other impacted EDRs. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other. This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: New ‘BlackSanta’ EDR killer spotted targeting HR departments Microsoft links Medusa ransomware affiliate to zero-day attacks German authorities identify REvil and GandCrab ransomware bosses GandCrab Ransomware Shutting Down After Claiming to Earn $2 Billion Die Linke German political party confirms data stolen by Qilin ransomware Babuk Locker EDR EDR Bypass Ransomware SentinelOne Lawrence Abrams Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. Previous Article Next Article Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Upcoming Webinar Popular Stories Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit Snowflake customers hit in data theft attacks after SaaS integrator breach German authorities identify REvil and GandCrab ransomware bosses Sponsor Posts New fraud playbooks are circulating on the dark web — are you keeping up? Free breach monitoring: detect exposed credentials, cookies, and sessions with Lunar Overdue a password health-check? Audit your Active Directory for free Turn stolen data into useless noise in ransomware attack Get the whitepaper: 6 validation surfaces mapped. 3 diagnostic questions included. Upcoming Webinar Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT