Management Consulting

In a recent incident investigated by Aon’s Stroz Friedberg Incident Response Services, a threat actor successfully bypassed the SentinelOne Endpoint Detection and Response (EDR) system by exploiting a vulnerability in the agent's upgrade process. The attacker gained local administrative access to a publicly accessible server by exploiting a known CVE in an application running on that server. This access allowed the threat actor to disable the EDR agent without needing the anti-tamper code, ultimately leading to the execution of a variant of the Babuk ransomware. Forensic analysis revealed several indicators of the EDR bypass, including the creation of multiple versions of legitimate signed SentinelOne installer files and a series of event logs that documented rapid product version changes. The investigation confirmed that the affected environment did not have the local upgrade/downgrade online authorization feature enabled, which would have prevented the bypass. Stroz Friedberg's testing methodology replicated the attack by initiating an upgrade process that led to the termination of all SentinelOne processes, resulting in a window of vulnerability where the system was left unprotected. In response to this incident, SentinelOne promptly issued mitigation guidance to its clients, emphasizing the importance of enabling the "Online authorization" feature, which restricts local upgrades and downgrades. Stroz Friedberg's preliminary tests indicated that once this feature was enabled, the EDR bypass could not be executed as previously demonstrated. The collaboration between Stroz Friedberg and SentinelOne ensured that the attack pattern was disclosed to other EDR vendors, allowing them to assess their products for similar vulnerabilities before public disclosure. As of the publication date, no EDR vendor, including SentinelOne, was known to be impacted by this attack when their products were properly configured.