- OpenAI will become a Public Benefit Corporation - here's what that means
- LockBit Ransomware Hacked, Insider Secrets Exposed
- AI Agent for Color Red
- Navigating COPPA Compliance: A Security-Focused Guide for K-12 and Libraries
- IBM aims to set industry standard for enterprise AI with ITBench SaaS launch
Hacker Finds New Technique to Bypass SentinelOne EDR Solution
Endpoint Detection and Response (EDR) solutions have become standard cybersecurity products in most organizations, yet they are not infallible.
In a new report published on May 5, researchers at Aon’s Stroz Friedberg Incident Response Services shared their discovery of a new technique threat actors could use to bypass SentinelOne’s EDR, one of the most commonly used EDRs.
The method, called Bring Your Own Installer, circumvents SentinelOne’s anti-tamper feature by exploiting a flaw within the upgrade/downgrade process of the SentinelOne agent, resulting in an unprotected endpoint.
The Stroz Friedberg researchers observed a threat actor use this technique to gain local administrative access, bypass the EDR’s protections and execute a variant of the Babuk ransomware.
In response to the report, SentinelOne provided mitigation steps for its customers.
“As of the date of publishing, Aon’s Stroz Friedberg does not have knowledge of any EDR vendor, including SentinelOne, that is currently impacted by this attack when their product is properly configured,” the researchers wrote.
Indicators of EDR Bypass
Like many other EDRs, SentinelOne’s EDR incorporates anti-tamper protection to restrict unauthorized users from disabling protection measures and prevent malware from trivially terminating EDR processes.
This feature requires an administrative action in the SentinelOne management console or a unique code to remove an agent from SentinelOne’s protection.
However, the Stroz Friedberg researchers identified a threat actor who exploited a vulnerability in an application running on a publicly accessible server to gain local administrative access to a host device on which SentinelOne’s EDR was running.
During forensic analysis of the system, the researchers observed several indicators of EDR bypass, including:
- File creation of multiple versions of legitimate signed SentinelOne installer files, in this case SentinelOneInstaller_windows_64bit_v23_4_4_223.exe and SentinelInstaller_windows_64bit_v23_4_6_347.msi
- Additional event logs and other forensic evidence associated with product version changes, including scheduled task changes, service stop/start events, local firewall configuration changes, etc.
EDR Vulnerability Proof-of-Concept Exploit
Based on these findings, the Stroz Friedberg researchers conducted an experiment to replicate a potential vulnerability in SentinelOne’s EDR software.
They used a Windows 2022 Server virtual machine with SentinelOne EDR software version 23.4.6.223 installed. During the experiment, they initiated an upgrade/downgrade of the SentinelOne agent using the MSI Windows installer file.
The upgrade/downgrade process involved terminating all existing SentinelOne processes approximately 55 seconds before spawning new processes for the updated version. This created a temporary window where no SentinelOne processes were running on the system.
The researchers exploited this window by terminating the msiexec.exe process associated with the upgrade/downgrade using a taskkill command with local administrator permission.
As a result, the system was left without SentinelOne protection, and the host subsequently went offline in the SentinelOne management console.
SentinelOne’s Mitigation Measures
The Aon researchers reported their findings to SentinelOne. The EDR maker responded promptly and issued guidance on mitigating the issue to their customers. These include:
- Using SentinelOne’s local agent passphrase (enabled by default) to prevent unauthorized agent uninstalls and protect against unauthorized agent upgrades
- Local Upgrade Authorization feature to ensure upgrades are authenticated through the SentinelOne console
Since the publication of the Aon report, SentinelOne has published a post showcasing some additional steps the software vendor has taken to mitigate this threat.
For instance, the company is now enabling the Local Update Authorization feature by default for all new customers, providing them with an additional layer of security.
SentinelOne assisted the researchers with a private disclosure of this attack pattern to other EDR vendors so that their products could be assessed before Stroz Friedberg’s public disclosure of this attack.
Some of the contacted vendors did not respond to the disclosure of the attack pattern.
