Full Report
A new "Bring Your Own Installer" EDR bypass technique is exploited in attacks to bypass SentinelOne's tamper protection feature, allowing threat actors to disable endpoint detection and response (EDR) agents to install the Babuk ransomware. [...]
Analysis Summary
# Tool/Technique: SentinelOne EDR Bypass using "Bring Your Own Installer"
## Overview
This describes a novel technique observed in a ransomware attack where threat actors bypassed the SentinelOne Endpoint Detection and Response (EDR) solution by manipulating its update/installation process. The ultimate goal was to disable EDR protection to deploy ransomware.
## Technical Details
- Type: Technique (involving a specific tool manipulation)
- Platform: Windows
- Capabilities: Disabling or evading EDR security measures by interrupting the installer process of the SentinelOne agent.
- First Seen: Earlier this year (relative to the article's publication, specific date not given, but mitigation shared in January 2025).
## MITRE ATT&CK Mapping
The core action relates to tampering with security software.
- **TA0005 - Defense Evasion**
- **T1562 - Impair Defenses**
- **T1562.001 - Disable or Modify Tools** (Specifically targeting the EDR service/agent during update/installation logic)
## Functionality
### Core Capabilities
- **EDR Session Termination:** Terminating the running SentinelOne agent service immediately prior to or during an attempted update/installation initiated by the `msiexec.exe` process.
- **Installer Interruption for Evasion:** Forcefully terminating the SentinelOne Windows Installer (`msiexec.exe`) process before the new/upgraded agent can fully install and launch, effectively leaving the device unprotected.
### Advanced Features
- **Version Agnostic:** The technique was observed to be successful across multiple, both new and older, versions of the SentinelOne agent, indicating robustness against standard version updates intended to patch previous flaws.
- **Exploiting Legitimate Processes:** Leverages the legitimate SentinelOne installer to create a window of opportunity (by the installer shutting down the running agent) which is then exploited immediately afterward.
## Indicators of Compromise
*Note: Since this describes a *technique* relying on existing software functionality rather than unique malware, specific IoCs are limited to the execution context.*
- File Hashes: N/A (Relies on official SentinelOne installer files)
- File Names: `msiexec.exe` (The process being terminated)
- Registry Keys: N/A
- Network Indicators: N/A (The technique itself does not involve C2, but it facilitates subsequent ransomware activity)
- Behavioral Indicators: Termination of the SentinelOne agent service followed immediately by the termination of its installer process (`msiexec.exe`). Observation that the host disappeared from the SentinelOne management console shortly after the termination.
## Associated Threat Actors
- Threat actors observed deploying ransomware utilizing this EDR bypass technique (Specific group name not mentioned in the summary information provided).
## Detection Methods
- Signature-based detection: Not easily achieved, as legitimate tools are used.
- Behavioral detection: Monitoring for the sequence of events: EDR agent service stopping, followed by the termination of the associated Windows Installer process (`msiexec.exe`), or monitoring for the host disappearing from the EDR console abruptly during or after an upgrade attempt.
- YARA rules: N/A
## Mitigation Strategies
- **Enable Online Authorization:** The primary mitigation provided by SentinelOne is enabling the "Online Authorization" feature within Sentinel Policy settings. This requires explicit approval from the SentinelOne management console before any local upgrades, downgrades, or uninstalls of the agent can occur.
- **Monitor Installer Activity:** Organizations should monitor for unusual terminations of installer processes (`msiexec.exe`) associated with security agents.
## Related Tools/Techniques
- **SentinelOne EDR:** The security product being bypassed.
- SentinelOne Ransomware Deployment (subsequent stage).
- Other EDR evasion techniques that focus on disrupting agent startup or maintenance (a variant of T1562.001).