"Bring Your Own Installer" EDR bypass technique exploited on SentinelOne

Aon's Stroz Friedberg Incident Response Services is reporting an attack method that allows threat actors to bypass SentinelOne's Endpoint Detection and Response (EDR) protection. 

SentinelOne incorporates anti-tamper protection that typically requires administrative action in the SentinelOne management console or a unique code to remove an agent from protection. This safeguard aims to restrict unauthorized users from disabling protection measures and prevent malware from easily terminating EDR processes.

The attack technique, dubbed "Bring Your Own Installer" (BYOI), exploits a vulnerability in the upgrade/downgrade process of the SentinelOne agent, circumventing its anti-tamper feature and resulting in an unprotected endpoint.

The vulnerability was discovered during a Stroz Friedberg investigation of an incident where a threat actor gained local administrative access and successfully bypassed these protections without the anti-tamper code:

• When initiating an upgrade or downgrade by running an MSI Windows installer file for a different SentinelOne version, Microsoft Windows uses its native installer program (msiexec.exe) to perform the installation.
• Shortly after initiating the normal SentinelOne agent version change process, all SentinelOne processes that were previously running are terminated, with approximately 55 seconds before the MSI installer spawns processes for the new agent version.
• During this critical window when no SentinelOne processes are active, the researchers were able to interrupt the upgrade by terminating the msiexec.exe process associated with the SentinelOne version change. This was done by executing a taskkill command from a command prompt running with local administrator permission.
• Because the old version SentinelOne processes were terminated during the upgrade, and the new processes were interrupted before spawning, the final result was a system without SentinelOne protection.

SentinelOne advises all customers to activate "Online authorization" feature which removes the ability to perform local upgrades and downgrades and can be found in the Sentinels Policy menu in the management console. At the time of Stroz Friedberg's investigation and testing, this option was not enabled by default.

Prior to publication, SentinelOne assisted Stroz Friedberg with a private disclosure of this attack pattern to other EDR vendors so that their products could be assessed. As of the date of publishing, Stroz Friedberg does not have knowledge of any EDR vendor, including SentinelOne, that is currently impacted by this attack when their product is properly configured.