A newly discovered technique is being leveraged by threat actors to bypass Endpoint Detection and Response (EDR) protections—specifically those provided by SentinelOne—through an abuse of its own update process. Dubbed the "Bring Your Own Installer" (BYOI) technique, this method disables the EDR’s defenses long enough to allow for the deployment of ransomware, such as variants of Babuk, without interference.
How the BYOI Technique Works
Most EDR platforms, including SentinelOne, are designed with anti-tamper features that prevent uninstallation or modification without authorization—typically requiring administrative access or a unique passphrase. However, attackers have found a workaround that exploits the EDR’s legitimate update mechanism.
During an upgrade or downgrade, SentinelOne temporarily stops its active protections to replace the running components. By forcibly interrupting this process mid-way, threat actors leave the system in a vulnerable state—protection disabled, upgrade incomplete, and no alerts triggered. At this point, ransomware can be deployed with impunity.
This method does not rely on custom malware or exploit development. Instead, it uses the official SentinelOne installer, making it harder to detect and more accessible to less sophisticated adversaries. Even more concerning, this technique appears effective across multiple versions of the SentinelOne agent.
SentinelOne's Response
SentinelOne has acknowledged the risk and worked with the security team at Aon's Stroz Friedberg to analyze and mitigate the issue. Their recommendations to customers include:
-
Enabling "Online Authorization": This setting, when active, requires management console approval for all agent upgrades or removals. It is disabled by default and should be reviewed immediately.
-
Using the Local Agent Passphrase: Ensuring that this passphrase feature is enabled will prevent unauthorized modification attempts on endpoints.
SentinelOne is also working toward enabling these security options by default for new deployments.
What This Means for Your Organization
This new method of EDR bypass reinforces a hard truth: even trusted tools can become part of an attacker’s arsenal if left misconfigured or insufficiently monitored. Organizations relying on SentinelOne or similar endpoint protection systems should:
-
Immediately assess their current agent configuration across all systems.
-
Enable and enforce EDR hardening settings such as online authorization and agent passphrases.
-
Restrict administrative access to endpoint systems and monitor for any agent process interruptions.
-
Include this attack vector in tabletop and ransomware response planning.
At Critical Path Security, we continuously track emerging threat tactics and help organizations not only recover from but proactively defend against sophisticated threats like this. This isn’t just a bypass; it’s a wake-up call for better security hygiene and operational awareness.
Sources: