Full Report
Security researchers at Aon have discovered a threat actor who bypassed SentinelOne EDR protection to deploy Babuk ransomware
Analysis Summary
# Tool/Technique: Bring Your Own Installer (BYOI) to Bypass SentinelOne EDR
## Overview
The "Bring Your Own Installer" (BYOI) technique is a novel method discovered by Aon's Stroz Friedberg Incident Response Services to circumvent the anti-tamper protection mechanisms of the SentinelOne Endpoint Detection and Response (EDR) solution. It exploits a flaw within the agent's upgrade/downgrade process to gain an unprotected endpoint state.
## Technical Details
- Type: Technique
- Platform: Windows (Implied, as SentinelOne is a major endpoint security solution on Windows/macOS/Linux, and the context of EDR bypass typically focuses on common enterprise environments).
- Capabilities: Disables SentinelOne's anti-tamper protection, reduces the security posture of the endpoint, allows for the execution of malicious payloads.
- First Seen: Report published May 5, 2025 (referencing the discovery).
## MITRE ATT&CK Mapping
This technique primarily targets defensive capabilities and aims for execution after compromising the security software itself.
- TA0005 - Defense Evasion
- T1562 - Impair Defenses
- T1562.001 - Disable or Modify Tools (By subverting the EDR agent's operational state)
## Functionality
### Core Capabilities
- Exploits a vulnerability in the SentinelOne agent's upgrade/downgrade procedure.
- Circumvents the EDR's built-in anti-tamper feature, which normally prevents unauthorized disabling of protection measures.
- Results in the endpoint operating in an unprotected state.
### Advanced Features
- Allows threat actors to gain local administrative access after bypassing the EDR.
- Facilitated the execution of a variant of the Babuk ransomware in the observed scenario.
## Indicators of Compromise
*Note: The article focuses on the technique rather than specific payload IOCs, but behavioral indicators associated with the technique are included.*
- File Hashes: [Not specified in the description]
- File Names: [Not specified in the description, likely relying on the actor's chosen installer/payload]
- Registry Keys: [Not specified in the description]
- Network Indicators: [Not specified in the description, although a Babuk ransomware variant implies follow-on C2 activity]
- Behavioral Indicators: Unauthorized initiation of the SentinelOne agent's installation/upgrade/downgrade procedure by low-privilege users or automated scripts leading to a reduction in security visibility.
## Associated Threat Actors
- An unnamed threat actor was observed using this technique to deploy a variant of Babuk ransomware (prior to the patch/mitigation).
## Detection Methods
- Signature-based detection: [Not specified, but likely signature-less detection is required for the EDR bypass itself.]
- Behavioral detection: Monitoring for anomalous or unauthorized execution paths related to the SentinelOne agent's internal update/upgrade mechanism.
- YARA rules: [Not specified in the description]
## Mitigation Strategies
- SentinelOne has provided mitigation steps to its customers (as of the report date).
- Ensure the SentinelOne product instance is **properly configured** (as stated by the researchers, a properly configured system might be immune).
- Apply vendor patches addressing the upgrade/downgrade flaw.
- Restrict administrative privileges aggressively to prevent users from initiating installation/upgrade processes that could be exploited.
## Related Tools/Techniques
- EDR Evasion Techniques (General)
- Living off the Land Binaries (LOLBins) used during execution phase following the EDR bypass.
- Ransomware deployment tools (specifically, the Babuk ransomware variant observed in the incident).