Aon’s Stroz Friedberg Incident Response Services has revealed a sophisticated technique employed by a threat actor to circumvent SentinelOne’s Endpoint Detection and Response (EDR) protections, ultimately deploying a variant of Babuk ransomware.
The exploit leverages a vulnerability in SentinelOne’s local agent upgrade and downgrade process, effectively bypassing the solution’s anti-tamper mechanisms and leaving targeted endpoints temporarily unprotected.
The incident began when a threat actor compromised a publicly accessible server by exploiting a known vulnerability (CVE) in an application running on the system.
With local administrative rights secured, the attacker initiated multiple upgrades and downgrades of the SentinelOne agent using legitimate, signed installer files for different agent versions.
Forensic evidence captured by Stroz Friedberg included multiple instances of installer file creation, repeated version changes, and specific event log activity-most notably, the abrupt termination of SentinelOne processes and the appearance of an ‘unload’ command in operational logs.
Further signs included installer exit logs and changes in scheduled tasks, service states, and firewall configurations.
Importantly, Stroz Friedberg found no evidence of malicious or vulnerable driver files, indicating that the attack did not rely on known driver-based EDR evasion tactics.
Testing confirmed that initiating an agent upgrade or downgrade with an MSI installer would result in the termination of all SentinelOne processes for a brief interval.
If the Windows Installer process (msiexec.exe) was terminated during this window-before the new agent version started-both the outgoing and incoming SentinelOne agents would remain inactive, leaving the system devoid of EDR protection.
The management console would register the endpoint as offline shortly afterward. This method proved effective across multiple SentinelOne agent versions and did not require the anti-tamper removal code, greatly increasing the risk to affected environments.
Vendor Response and Remediation Guidance
According to the Report, SentinelOne responded promptly by issuing detailed mitigation steps to its customers.
The recommended defense is SentinelOne’s “Online authorization” feature, which requires all upgrades and downgrades to be executed centrally via the management console, thus disallowing local installation changes without proper authorization.
Stroz Friedberg’s follow-up testing confirmed that enabling this feature prevents the attack, as local administrative attempts to upgrade or downgrade the agent are blocked.
However, at the time of the incident, this option was not enabled by default on the affected system, leaving it vulnerable.
In a coordinated move, SentinelOne assisted Stroz Friedberg in confidentially disclosing the attack methodology to other EDR vendors, ensuring the broader EDR ecosystem could assess potential exposure before public disclosure.
As of publication, there are no known EDR platforms susceptible to this attack vector when correctly configured with centralized upgrade/downgrade controls.
This incident highlights the importance of secure process management within endpoint security solutions, particularly around agent lifecycle operations such as upgrades and downgrades.
Organizations using SentinelOne are strongly encouraged to review and implement the latest remediation guidance, ensuring that all EDR endpoints are configured to require centralized management authorization for version changes.
The episode also underscores the need for continuous monitoring of configuration settings and timely application of vendor-recommended security controls to maintain effective defense against evolving attacker tactics.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
