New "Bring Your Own Installer" EDR bypass used in ransomware attack

A new "Bring Your Own Installer" EDR bypass technique is exploited in attacks to bypass SentinelOne's tamper protection feature, allowing threat actors to disable endpoint detection and response (EDR) agents to install the Babuk ransomware. This technique exploits a gap in the agent upgrade process that allows the threat actors to terminate running EDR agents, leaving devices unprotected. The attack was discovered by John Ailes and Tim Mashni of Aon's Stroz Friedberg Incident Response team during an engagement with a customer who suffered a ransomware attack earlier this year. The technique does not rely on third-party tools or drivers like we normally see with EDR bypasses but instead abuses the SentinelOne installer itself. SentinelOne recommends customers enable the "Online Authorization" setting, which is turned off by default, to mitigate this attack. "We want to get the word out to ensure SentinelOne's customers know to enable Local Upgrade protection," John Ailes, Manager, ... Read full article.