Security researchers have uncovered a sophisticated technique used by attackers to bypass SentinelOne Endpoint Detection and Response (EDR) protection, enabling the silent deployment of Babuk ransomware.
The Discovery
The method, named "Bring Your Own Installer," was identified by Aon's Stroz Friedberg Incident Response team during a forensic investigation into a Babuk ransomware incident. The attackers took advantage of a vulnerability in the SentinelOne agent upgrade process to disable EDR protection without needing administrative console access or any specialized tools.
How the Bypass Works
At the heart of this attack is a timing vulnerability during SentinelOne's agent update. Here's how threat actors exploit it:
- Deploy a legitimate, signed SentinelOne installer
(e.g., SentinelOneInstaller_windows_64bit_v23_4_4_223.exe or SentinelInstaller_windows_64bit_v23_4_6_347.msi). - Allow the installer to terminate active SentinelOne processes as part of the upgrade routine.
- Forcefully kill the Windows Installer process (msiexec.exe) before the installation completes.
This leaves the system in an unprotected state with no SentinelOne processes running and no new version installed opening the door for malware deployment.
Unlike other techniques that rely on vulnerable drivers or third-party software, this method uses SentinelOne's own tools against itself. Forensic logs reveal telltale signs of the attack, such as:
- EventID 93 in SentinelOne logs with CommandType: unload
- EventID 1042 in Application logs showing MsiInstaller Exited
Notably, the underlying tactic interrupted the agent installation during critical process transitions which under the right conditions could be adapted to other EDR platforms with similar update workflows. Security teams should evaluate their own tools for similar timing-related vulnerabilities.
Babuk Ransomware Deployment
Once the endpoint protection is disabled, attackers proceed to deploy Babuk ransomware, a potent malware strain active since early 2020. Babuk operates under a Ransomware-as-a-Service (RaaS) model and can target both Windows and Linux systems.
The ransomware uses AES-256 encryption to lock files and attempts to stop services and processes that might interfere with encryption. Victims are then presented with a ransom note detailing payment instructions.
Mitigation and Response
SentinelOne acted swiftly after the disclosure by Stroz Friedberg and issued a customer advisory in January 2025. The core mitigation is to enable the "Online Authorization" feature in the SentinelOne Policy settings. This setting, disabled by default, requires approval from the management console before allowing local upgrades, downgrades, or uninstalls.
"The feature is turned off by default. At the end of the day, getting the word out to mitigate this bypass is the most important thing," said Ailes from the SentinelOne team.
SentinelOne also shared the details of this exploit with other EDR vendors. Palo Alto Networks has confirmed that its EDR solution is not impacted by this technique.
Recommendations from Stroz Friedberg
Organizations should take the following actions immediately:
- Enable "Online Authorization" in SentinelOne's policy.
- Monitor for SentinelOne version changes using EventID 1.
- Watch for rapid version shifts or multiple version changes in short time frames.
- Review logs for abrupt service terminations associated with SentinelOne.
Conclusion
This discovery underscores the ongoing evolution of tactics used by threat actors to defeat endpoint protection. It also highlights the importance of proper configuration, vigilant monitoring, and staying informed about emerging threats targeting security platforms. Given the nature of this technique, other EDR products could be vulnerable to similar exploitation if their update mechanisms are not sufficiently hardened.
