Bypassing SentinelOne EDR Attacker Interrupts Agent Upgrade Downgrade

Summary

CRIL came across a recent incident response reported by Aon’s Stroz Friedberg, which described a technique used by a threat actor to bypass SentinelOne's Endpoint Detection and Response (EDR) system. The attacker exploited a flaw in the agent's upgrade/downgrade process to disable protections and avoid the anti-tamper feature, leaving the system exposed.

In response, SentinelOne shared mitigation steps with its customers and worked with Stroz Friedberg to notify other EDR vendors. SentinelOne users are advised to review and apply the recommended fixes to stay protected.

Technical Analysis

SentinelOne EDR is an advanced endpoint protection solution that detects, blocks, and responds to threats in real time. It includes anti-tamper safeguards to prevent unauthorized changes or disabling of its security functions.

Researchers discovered a method where a threat actor bypassed SentinelOne EDR protection by exploiting a known vulnerability in a publicly exposed server. After gaining local admin access, the attacker disabled SentinelOne’s protection without using the anti-tamper code.

Instead of using traditional malware or a malicious driver, the attacker relied on a more subtle technique: abusing SentinelOne’s legitimate upgrade mechanism. By placing multiple authentic versions of the SentinelOne installer on the compromised system, the attacker triggered a version switch between different agent builds.

Multiple legitimate SentinelOne installer files were found on the system

• SentinelOneInstaller_windows_64bit_v23_4_4_223.exe

• SentinelInstaller_windows_64bit_v23_4_6_347.msi

Event logs indicated frequent agent version changes within a 10-minute window:

• SentinelOne%4Operational.evtx:

Event ID 1: Product version switches between 23.4.4.223 and 23.4.6.347.

Event ID 93: “Unload” command, suggesting shutdown of protection.

• Application.evtx:

Event ID 1042: SentinelOne MSI installer exited

Additional indicators included changes in scheduled tasks, services, and firewall configurations. Windows event logs revealed rapid toggling between these versions over just ten minutes, followed by a final “unload” event indicating the agent had been shut down.

The technique exploited SentinelOne's timing during a version change, where the agent shuts down before the new version installs, creating a vulnerability. The attacker interrupted the upgrade by killing the installer process (msiexec.exe), leaving the system unprotected with no alerts or visibility in the console.

To confirm this, Stroz Friedberg replicated the attack in a controlled environment using Windows Server 2022 and the same SentinelOne agent version. They verified the agent was active, then initiated a version change using an MSI installer. As expected, SentinelOne processes were temporarily terminated.

By stopping the installer mid-process using a taskkill command with admin rights, they successfully broke the upgrade cycle, leaving the system unprotected. Shortly afterward, the host disappeared from the SentinelOne dashboard, validating the bypass.

This method was not tied to any specific version and worked consistently across multiple builds of the SentinelOne agent. It also required no malicious files—only local admin access and legitimate installer files. Notably, the affected environment had not enabled SentinelOne's online authorization for upgrades, which may have prevented the attack.

Recommendations

• Ensure the Local Update Authorization feature is enabled in SentinelOne. This setting requires administrator approval for any agent upgrades or downgrades, effectively blocking unauthorized changes to the EDR agent.

• Configure and enforce the agent passphrase requirement for all SentinelOne installations. This will prevent unauthorized agents from being installed or uninstalled, adding an extra layer of protection even if the Local Update Authorization feature isn't enabled.

• Limit local administrator access to critical endpoints. Attackers need local admin privileges to exploit this vulnerability, so minimizing local admin rights can reduce the risk of unauthorized agent manipulation.

• Keep all systems and applications up to date to close any vulnerabilities, especially those that could be exploited for local privilege escalation. Regular patching helps prevent attackers from gaining the initial access needed for the attack.

• Set up monitoring for unusual file creation or execution of SentinelOne-signed installers and MSI files. Any unexpected or unauthorized installer activity should be flagged for review to detect potential bypass attempts early.

Conclusion

This attack leveraged a flaw in SentinelOne's local upgrade process, allowing attackers with local administrative access to bypass EDR protections. However, SentinelOne quickly addressed the issue by implementing the Local Update Authorization feature, which effectively prevents this type of attack when enabled. Ensuring proper configuration of this feature, along with enforcing agent passphrases and restricting local admin access, can significantly safeguard against such vulnerabilities.