Pierluigi Paganini
May 06, 2025
Aon’s Stroz Friedberg discovered a new “Bring Your Own Installer” (BYOI) EDR bypass technique that exploits a flaw in SentinelOne’s upgrade process to bypass its anti-tamper protections, leaving endpoints unprotected. Stroz Friedberg researchers did not observe any usage of malicious driver files.
Stroz Friedberg discovered the technique while investigating an incident where a threat actor gained local administrative access and bypassed these protections without the anti-tamper code. Once disabled the EDR agent, the attackers deployed the Babuk ransomware.
Forensics showed rapid version changes, installer file use, and event log entries tied to EDR tampering. The attackers did not use any vulnerable drivers. The researchers discovered that the bypass was possible due to disabled local upgrade/downgrade authorization.
“Based on the forensic evidence, Stroz Friedberg assessed that the threat actor likely bypassed the protection through a vulnerability in the local upgrade process.” reads the report published by the researchers. “Stroz Friedberg later confirmed that the impacted environment did not have local upgrade/downgrade online authorization enabled at the time of the incident.”
The team at Stroz Friedberg ran the experiment on a Windows Server 2022 machine that had SentinelOne version 23.4.6.223 installed and confirmed that the agent was running properly and showing as online in the management dashboard.
To kick off the process, they launched an installer (MSI file) for a different version of SentinelOne, something that Windows handles using its built-in msiexec.exe. As expected, the currently running SentinelOne processes shut down to make room for the new version. But here’s where things got interesting: before the update could complete, they used admin rights to kill the Windows installer process mid-upgrade.
What this did was leave the system hanging, none of the old SentinelOne processes were running anymore, and the new ones never had a chance to start. As a result, the endpoint was completely unprotected. Shortly after this, the machine even disappeared from the SentinelOne console.
They repeated the test with various versions of the SentinelOne agent, and the outcome was consistent: interrupting the upgrade at the right moment left the system vulnerable.
“Stroz Friedberg reported their findings to SentinelOne who responded promptly and issued guidance on mitigating the issue to their customers. SentinelOne has an “Online authorization” feature which removes the ability to perform local upgrades and downgrades and can be found in the Sentinels Policy menu in the management console.” concludes the report. “At the time of Stroz Friedberg’s investigation and testing, this option was not enabled by default.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, BYOI)
