A sophisticated new attack method that disables endpoint security protection has been identified by security researchers, enabling threat actors to deploy ransomware undetected.\u00a0<\/p>\n
The technique, dubbed \u201cBring Your Own Installer,\u201d was recently discovered by Aon\u2019s Stroz Friedberg Incident Response team during an investigation of a Babuk ransomware<\/a> attack.<\/p>\n The method exploits a vulnerability in SentinelOne\u2019s agent upgrade process, allowing attackers to circumvent the EDR solution\u2019s anti-tamper protection without requiring administrative console access or specialized tools.<\/p>\n The bypass technique exploits a critical timing vulnerability during the SentinelOne agent update process, Aon\u2019s Stroz Friedberg observed,<\/p>\n When installing a different version of the SentinelOne agent, the installer first terminates all associated Windows processes before overwriting existing files with the new version.<\/p>\n Attackers leverage this window of opportunity by:<\/p>\n Unlike other EDR bypass methods that rely on vulnerable drivers or third-party tools, this technique uses legitimate SentinelOne installers against themselves.\u00a0<\/p>\n Forensic evidence includes EventID 93 with \u201cCommandType: unload\u201d as the last event in SentinelOne operational logs and EventID 1042 in Application logs showing \u201cMsiInstaller Exited.\u201d<\/p>\n Once EDR protection is disabled, attackers deploy Babuk ransomware, a sophisticated encryption malware that targets multiple platforms including Windows and Linux<\/a>. Babuk emerged in early 2020 and operates as a Ransomware-as-a-Service (RaaS) model.<\/p>\n Babuk uses AES-256 encryption to lock files on infected computers and attempts to terminate processes and services that might inhibit the encryption process. After encryption completes, it displays a ransom note with payment instructions.<\/p>\n SentinelOne responded promptly to Stroz Friedberg\u2019s disclosure and issued guidance to customers in January 2025.\u00a0<\/p>\n The critical mitigation is enabling the \u201cOnline Authorization\u201d feature in SentinelOne\u2019s Policy settings, which requires approval from the management console before any local upgrades, downgrades, or uninstalls can occur.<\/p>\n \u201cThe feature is turned off by default. At the end of the day, getting the word out to mitigate this bypass is the most important thing\u201d,\u00a0warns Ailes<\/a>.\u00a0<\/p>\n SentinelOne has also shared this advisory with other major EDR vendors. Palo Alto Networks has confirmed its EDR solution is not affected by this attack method.<\/p>\n Stroz Friedberg advises organizations to:<\/p>\n This discovery highlights the continued evolution of EDR bypass techniques and reinforces the need for organizations to properly configure security tools and maintain awareness of emerging threats targeting their endpoint protection<\/a> solutions.<\/p>\n Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points \u2013 Free Webinar<\/a><\/strong><\/p>\n The post Threat Actor Bypass SentinelOne EDR to Deploy Babuk Ransomware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nHow the Attack Works<\/strong><\/h2>\n
\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXeP-fVZKRA1ui1Vq62VS9vmnI7nskiI9Wxgx6dvALQED5hfRSfz_qgVtXUUusIOL4a111g9QV0P5J-ocp_a64_ecY1dpY01yGKznUMowDHmWf2r63p7W1LEKYT9GoolnxsPoSQSxg?key=JjYUCbjsGUOobtjBGydYKA\")
Mitigation Steps<\/strong><\/h2>\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcnb3jrPTwTG6P5P_eZrzE-r-GUGMVAYHdPG7kKdI04tHoChDcHYKM8vY8pHtxG_wBI8q3PgoXjjsDl1RIBI5NQ3EUYs2Y8FDjNLVLC5GPiBZJIcar3gTKkxHcnt9gVr7yQq1rI?key=JjYUCbjsGUOobtjBGydYKA\")
\n