A sophisticated new attack method that disables endpoint security protection has been identified by security researchers, enabling threat actors to deploy ransomware undetected. 

The technique, dubbed “Bring Your Own Installer,” was recently discovered by Aon’s Stroz Friedberg Incident Response team during an investigation of a Babuk ransomware attack.

The method exploits a vulnerability in SentinelOne’s agent upgrade process, allowing attackers to circumvent the EDR solution’s anti-tamper protection without requiring administrative console access or specialized tools.

How the Attack Works

The bypass technique exploits a critical timing vulnerability during the SentinelOne agent update process, Aon’s Stroz Friedberg observed,

When installing a different version of the SentinelOne agent, the installer first terminates all associated Windows processes before overwriting existing files with the new version.

Attackers leverage this window of opportunity by:

• Deploying legitimate signed SentinelOne installer files (such as SentinelOneInstaller_windows_64bit_v23_4_4_223.exe or SentinelInstaller_windows_64bit_v23_4_6_347.msi).
• Letting the installer terminate the running EDR processes.
• Forcibly terminating the Windows Installer (msiexec.exe) process before it can complete installation.
• Leaving the system in an unprotected state with no active SentinelOne processes.

Unlike other EDR bypass methods that rely on vulnerable drivers or third-party tools, this technique uses legitimate SentinelOne installers against themselves. 

Forensic evidence includes EventID 93 with “CommandType: unload” as the last event in SentinelOne operational logs and EventID 1042 in Application logs showing “MsiInstaller Exited.”

Once EDR protection is disabled, attackers deploy Babuk ransomware, a sophisticated encryption malware that targets multiple platforms including Windows and Linux. Babuk emerged in early 2020 and operates as a Ransomware-as-a-Service (RaaS) model.

Babuk uses AES-256 encryption to lock files on infected computers and attempts to terminate processes and services that might inhibit the encryption process. After encryption completes, it displays a ransom note with payment instructions.

Mitigation Steps

SentinelOne responded promptly to Stroz Friedberg’s disclosure and issued guidance to customers in January 2025. 

The critical mitigation is enabling the “Online Authorization” feature in SentinelOne’s Policy settings, which requires approval from the management console before any local upgrades, downgrades, or uninstalls can occur.

“The feature is turned off by default. At the end of the day, getting the word out to mitigate this bypass is the most important thing”, warns Ailes. 

SentinelOne has also shared this advisory with other major EDR vendors. Palo Alto Networks has confirmed its EDR solution is not affected by this attack method.

Stroz Friedberg advises organizations to:

• Enable the “Online Authorization” setting immediately.
• Monitor systems for unexpected SentinelOne version changes (EventID 1).
• Watch for multiple ProductVersion changes between different versions in short periods.
• Check event logs for the abrupt termination of SentinelOne services.

This discovery highlights the continued evolution of EDR bypass techniques and reinforces the need for organizations to properly configure security tools and maintain awareness of emerging threats targeting their endpoint protection solutions.

Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar