A novel technique called “Bring Your Own Installer” (BYOI) has emerged to bypass Endpoint Detection and Response (EDR) protections, specifically targeting SentinelOne’s tamper protection. This method enables cybercriminals to disable EDR agents, paving the way for deploying ransomware like the Babuk variant. The significance was highlighted when Aon’s Stroz Friedberg Incident Response team encountered it during a client investigation following a ransomware attack earlier in the year.
BYOI attacks exploit a flaw in SentinelOne’s agent upgrade process, temporarily disrupting its service and creating an opportunity to disable the defense software. Unlike traditional methods requiring external tools, this technique manipulates the EDR’s installer itself. A critical concern is its effectiveness on both old and recent SentinelOne software versions, leaving systems at risk even with updates.
To counter this, SentinelOne advises activating the “Online Authorization” feature, typically off by default. This requires console authorization for local changes, enhancing protection. Although SentinelOne has shared this information and mitigations widely, many clients remain unprotected due to not enabling necessary settings.
This vulnerability could potentially impact other EDR vendors. Despite Palo Alto Networks confirming immunity, the broader implication highlights a risk if local access exists. SentinelOne has updated its product settings, activating “Online Authorization” by default for new users, and encourages current users to follow suit.
The incident underscores the dynamic nature of cybersecurity threats, demanding vigilance, regular protocol updates, and rapid information sharing. Organizations must ensure proper configuration and remain informed of vendor recommendations to safeguard against such advanced threats effectively.
