Table of Contents
CyberMaxx is aware of the recent blog post by Aon’s Stroz Friedberg highlighting a method used by threat actors to bypass SentinelOne’s anti-tamper protections via the agent upgrade/downgrade mechanism.
This technique requires access to a beachhead host, escalation to administrative access, and a copy of a newer legitimate SentinelOne installation MSI file. Taken together, these factors significantly limit the threat surface of this attack. SentinelOne actively collaborated with Stroz Friedberg to assess the issue and provide mitigation guidance.
CyberMaxx is also conducting a review of its SentinelOne tenant to ensure it aligns with best practices and implement appropriate mitigations to further protect our customers. Our threat intelligence team has utilized the IOCs from the blog post to create detections against suspected attacks. We will continue to monitor for more information and provide that as necessary and available.
Recommendations
- Keep an up-to-date asset inventory.
- Follow regularly scheduled maintenance cycles.
- Disable local admin/install rights for regular users.
- Ensure artifacts from the EDR installation are removed from hosts after installation.
More Reading / Information
- https://www.sentinelone.com/blog/protection-against-local-upgrade-technique-described-in-aon-research/
- https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/new-bring-your-own-installer-edr-bypass-used-in-ransomware-attack/amp/
- https://www.aon.com/en/insights/cyber-labs/bring-your-own-installer-bypassing-sentinelone
