The method exploits a vulnerability in SentinelOne’s agent upgrade process, allowing attackers to circumvent the EDR solution’s anti-tamper protection without requiring administrative console access or specialized tools. This discovery highlights the continued evolution of EDR bypass techniques and reinforces the need for organizations to properly configure security tools and maintain awareness of emerging threats targeting their endpoint protection solutions. The technique, dubbed “Bring Your Own Installer,” was recently discovered by Aon’s Stroz Friedberg Incident Response team during an investigation of a Babuk ransomware attack. Once EDR protection is disabled, attackers deploy Babuk ransomware, a sophisticated encryption malware that targets multiple platforms including Windows and Linux. Babuk uses AES-256 encryption to lock files on infected computers and attempts to terminate processes and services that might inhibit the encryption process. The critical mitigation is enabling the “Online Authorization” feature in SentinelOne’s Policy settings, which requires approval from the management console before any local upgrades, downgrades, or uninstalls can occur. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. When installing a different version of the SentinelOne agent, the installer first terminates all associated Windows processes before overwriting existing files with the new version. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 06 May 2025 07:00:05 +0000