New EDR Bypass Technique Exploits SentinelOne Upgrade Process in BYOI Attack

By /

Listen to this Post

Featured Image

A recently uncovered security flaw in

A Deep Dive into the SentinelOne BYOI Exploit

Cybersecurity researchers at Aon’s Stroz Friedberg have identified a method by which adversaries can bypass SentinelOne’s EDR protections using a carefully timed disruption in its upgrade sequence. The attack does not rely on malicious drivers or exploit known kernel vulnerabilities. Instead, it cleverly abuses the Windows Installer mechanism and SentinelOne’s local upgrade permissions.

The investigation originated from a real-world incident involving the deployment of Babuk ransomware. During the breach, attackers acquired local administrative access and were able to disable SentinelOne protections without triggering its anti-tamper defenses. The key to the attack lay in interrupting the update process, leaving the system in an unprotected state.

The forensic analysis revealed:

Frequent version changes of SentinelOne agents.

Usage of legitimate MSI installers for SentinelOne.

No evidence of vulnerable drivers or malware injection.

Disabled online authorization for local upgrades/downgrades, which opened the door for exploitation.

In controlled tests, researchers replicated the attack on a Windows Server 2022 running SentinelOne version 23.4.6.223. They began a standard upgrade using a different SentinelOne MSI file via msiexec.exe. As the upgrade proceeded, the active EDR processes shut down in preparation for the new version. However, before installation was complete, the team forcefully terminated the installer process. This left the system without any running SentinelOne processes—effectively removing endpoint protection without detection.

Even more concerning, the system eventually disappeared from the SentinelOne management console, leaving administrators blind to its security posture.

Tests confirmed that timing the interruption precisely during the upgrade process led to consistent bypasses across various SentinelOne agent versions. SentinelOne was informed of the vulnerability and responded by issuing updated guidance to users. Specifically, administrators are advised to enable “Online authorization”, which prevents local changes to the EDR agent without centralized approval. However, this setting is not enabled by default, making many systems potentially vulnerable unless explicitly configured.

What Undercode Say:

This case exemplifies how legitimate administrative tools and update mechanisms can be repurposed for malicious ends—a technique we increasingly see in post-exploitation scenarios. The SentinelOne incident is particularly critical for several reasons:

  1. No malware or driver exploits were used—this evasion was accomplished using built-in OS features and SentinelOne’s own installer.
  2. Attackers had admin access, highlighting the need for privileged access monitoring and hardening. Once inside, adversaries can manipulate processes that even EDR tools don’t protect well during updates.
  3. Update processes are inherently risky. Software vendors often assume that processes like upgrades are trusted; however, this trust can be easily broken when local authorization is left unchecked.
  4. BYOI is an advanced evasion technique that security teams must prepare for. It leverages signed binaries, installers, or known tools as attack vectors, making detection far more complex.
  5. The exploitation here mirrors “Living off the Land” (LotL) tactics but with a twist—using security software against itself.

From a threat landscape perspective, this type of bypass is especially dangerous for critical infrastructure, financial institutions, and government agencies, where even brief lapses in endpoint protection can lead to widespread compromise.

Security policies should now:

Enforce strict endpoint protection upgrade procedures.

Enable Online Authorization by default across all deployments.

Audit administrative activity regularly.

Monitor for abnormal MSI installer activity on endpoints.

Use EDR tamper detection and behavioral analytics to catch anomalous process terminations during updates.

Attackers are always

In addition, this case should push security vendors to harden their upgrade workflows, ensuring that partial or interrupted installs cannot leave systems exposed.

Fact Checker Results

The BYOI technique described has been verified through forensic replication.
SentinelOne’s online authorization was indeed not enabled by default at the time of testing.

SentinelOne responded with official mitigation guidance after disclosure.

Prediction

Given the sophistication and stealth of this BYOI bypass method, we expect to see an uptick in similar EDR bypasses targeting weak points in legitimate software workflows—especially among security solutions themselves. Attackers will increasingly target configuration oversights and upgrade paths as more organizations harden traditional perimeter defenses.

Future threats are likely to include:

More vendor-specific update hijacks.

Broader adoption of trusted tool misuse techniques.

Greater targeting of EDR and XDR environments, particularly during periods of maintenance or upgrade.

Security teams must proactively address these new realities with preventative configuration enforcement, robust behavioral analytics, and routine red-team simulations to uncover these blind spots before attackers do.

References:

Reported By: securityaffairs.com
Extra Source Hub:
https://www.quora.com/topic/Technology
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Explore More: