"Bring Your Own Installer" Attack Exploits SentinelOne EDR Misconfigurations
A novel attack technique, termed “Bring Your Own Installer” (BYOI), has been identified by cybersecurity researchers at Aon’s Stroz Friedberg. This method enables threat actors to bypass SentinelOne’s Endpoint Detection and Response (EDR) protections by exploiting misconfigurations during the agent’s upgrade or downgrade processes. The attack leverages legitimate installer behaviors to disable security features, leaving endpoints vulnerable to further compromise.
Technical Description
The “Bring Your Own Installer” (BYOI) technique exploited in this attack revolves around a legitimate process used by SentinelOne’s Endpoint Detection and Response (EDR) agent: the upgrade and downgrade mechanism. Normally, SentinelOne agents include tamper protection to prevent unauthorized actions like uninstallation, deactivation, or replacement of critical components. However, this protection is intentionally and temporarily disabled when the agent is being upgraded or downgraded to facilitate the change in software versions.
The attack starts by leveraging this downgrade logic, which is not strictly gated behind administrative authorization when misconfigured. An attacker with local access to the machine such as via malware, a compromised account, or remote desktop can supply an older, valid SentinelOne Windows installer. This installer can be a legitimate version previously obtained or scraped from the internet. When executed, it initiates a rollback or reinstallation process that causes the agent to suspend its self-protection mechanisms. During this brief period, core EDR services like monitoring, telemetry, and threat detection may stop or run in a less secure state.
Once the system is in this vulnerable window, the attacker can:
- Terminate security-related processes or services.
- Replace SentinelOne binaries with trojanized or inert versions.
- Install or execute malware without triggering alerts.
- Modify or delete logs that would otherwise flag suspicious behavior.
This is particularly dangerous because the downgrade process doesn’t always require elevated privileges when improperly configured. Moreover, some Windows environments allow software management policies that do not enforce digital signature verification for rollback installers, allowing attackers to use slightly modified or unsigned versions of the agent binary to execute the attack.
To maintain stealth, adversaries can couple this with living-off-the-land binaries (LOLBins) or scripting frameworks (e.g., PowerShell, WMI) to execute the downgrade and payload delivery silently in the background. They might even automate the process using batch scripts or system scheduler tasks.
Additionally, researchers noted that after disabling SentinelOne, attackers used this access to:
- Exfiltrate sensitive data before launching ransomware payloads.
- Install secondary persistence mechanisms (e.g., registry run keys, scheduled tasks).
- Exploit lateral movement opportunities within the network once defenses were neutralized.
From a security engineering standpoint, the core flaw isn’t a software bug (no CVE has been assigned) but rather a weakness in trust assumptions around local agent control and upgrade operations. If local users or malware can impersonate a legitimate upgrade action, then EDR protections can be nullified in seconds, offering an ideal prelude for attacks like ransomware or advanced persistent threats (APTs).
Impact
The exploitation of BYOI can lead to significant security breaches, including:
- Disabling of EDR Protections: By circumventing anti-tamper features, attackers can operate without detection.
- Malware Deployment: With defenses down, systems are susceptible to ransomware, spyware, and other malicious software.
- Data Exfiltration: Attackers can access and extract sensitive information without triggering alerts.
- Lateral Movement: Compromised systems can serve as a foothold for attackers to infiltrate broader network environments.
The technique’s reliance on legitimate processes makes it particularly challenging to detect and prevent, especially in environments with lax configuration management.
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | Defense Evasion |
| Technique Name | Abuse of Installer Processes |
| Sub Technique Name | Exploitation of Trusted Binary for Bypassing Security Tools |
| Attack Type | Configuration Exploitation |
| Targeted Applications | SentinelOne EDR Agent |
| Region Impacted | Global |
| Industry Impacted | All |
| IOC’s | NA |
| CVE | NA |
Recommended Actions
To defend against BYOI attacks, organizations should:
- Enforce Strict Installation Policies: Restrict software installation and upgrades to authorized personnel and processes.
- Monitor Installer Activities: Implement logging and alerting for installer executions, especially those involving security software.
- Regularly Audit EDR Configurations: Ensure that anti-tamper features are enabled and that upgrade/downgrade procedures require proper authorization.
- Educate Staff: Train IT and security teams on the risks associated with software installation processes and the importance of maintaining secure configurations.