Scientific Analysis: Threat Actor Exploits SentinelOne EDR Vulnerability to Deploy Babuk Ransomware
How it works and what you can do about it
Introduction
A sophisticated cyberattack campaign leveraging a novel "Bring Your Own Installer" (BYOI) technique has been observed bypassing SentinelOne’s Endpoint Detection and Response (EDR) protections to deploy Babuk ransomware. This attack, first documented by Aon’s Stroz Friedberg Incident Response team, exploits a critical timing vulnerability in SentinelOne’s agent upgrade process, enabling threat actors to disable anti-tamper safeguards and leave systems defenseless. Below, we dissect the attack mechanics, forensic indicators, and mitigation strategies to combat this evolving threat.
Attack Mechanism: Exploiting the Agent Upgrade Process
1. Vulnerability in SentinelOne’s Upgrade Workflow
SentinelOne’s agent upgrade process involves terminating existing EDR processes before overwriting files with a new version. Attackers exploit this brief window (approximately 55 seconds) by:
Deploying Legitimate Installers: Using signed MSI/EXE files (e.g.,
SentinelOneInstaller_windows_64bit_v23_4_4_223.exe) to trigger the upgrade process.Forcibly Terminating the Installer: Once the installer terminates SentinelOne processes, attackers kill the
msiexec.exeprocess before the new agent version activates. This leaves the system unprotected, with no EDR services running.Deploying Ransomware: With defenses disabled, Babuk ransomware is executed. Babuk uses AES-256 encryption, terminates competing processes (e.g., backups), and exfiltrates data to pressure victims into paying ransoms.
2. Forensic Indicators
Key forensic evidence includes:
Event Logs:
EventID 93(CommandType: unload) in SentinelOne operational logs.EventID 1042(MsiInstaller exit) and rapidProductVersionchanges in Application logs.
System Artifacts: Creation of multiple SentinelOne installer files, scheduled task modifications, and unexpected service terminations.
3. Attack Prerequisites
Local Administrative Access: Gained via exploits (e.g., CVE-2021-27065) or credential theft.
Disabled “Online Authorization”: The default SentinelOne setting allowing local upgrades without management console approval.
Technical Analysis of the Exploit
Systemic Flaw in Anti-Tamper Protections
SentinelOne’s anti-tamper mechanism, designed to prevent unauthorized agent removal, fails during upgrades due to its reliance on process termination. Attackers weaponize this design oversight by interrupting the installer mid-execution, exploiting the gap between old agent termination and new agent activation.
Cross-Version Exploitability
Testing confirmed the attack’s efficacy across multiple SentinelOne agent versions (e.g., 23.4.4.223 to 23.4.6.347), highlighting a systemic rather than version-specific flaw.
Operational Impact
Affected endpoints appear offline in the SentinelOne management console post-attack, delaying detection. Babuk’s rapid encryption and data exfiltration exacerbate operational disruption, particularly in healthcare, finance, and critical infrastructure sectors.
Mitigation Strategies
1. Enable SentinelOne’s “Online Authorization”
Centralized Control: Requires management console approval for all agent upgrades/downgrades, blocking unauthorized local changes.
Default Configuration: While previously disabled, SentinelOne now enables this feature for new installations. Existing users must manually activate it.
2. Enhanced Monitoring and Log Analysis
Track Event Logs: Monitor for
EventID 1(version changes),EventID 93, andEventID 1042.Behavioral Analytics: Deploy tools to detect abnormal installer activity or rapid service termination.
3. Strengthen Access Controls
Limit Local Admin Rights: Restrict privileges to reduce attack surface.
Patch Vulnerabilities: Address CVEs (e.g., CVE-2021-27065) exploited for initial access.
4. Ransomware-Specific Defenses
Immutable Backups: Ensure offline, versioned backups to negate encryption impact.
Network Segmentation: Isolate critical systems to hinder lateral movement.
5. Industry Collaboration
SentinelOne and Stroz Friedberg privately disclosed the attack pattern to other EDR vendors (e.g., Palo Alto Networks confirmed immunity) to preempt cross-platform exploitation.
Implications for Cybersecurity
This attack underscores two critical trends:
Legitimate Tool Abuse: Attackers increasingly weaponize trusted software (e.g., installers) to evade detection.
Configuration Over Reliance: Default settings often prioritize convenience over security, necessitating rigorous hardening.
Conclusion
The BYOI exploit represents a paradigm shift in EDR evasion, blending simplicity with devastating efficacy. Organizations must urgently enable SentinelOne’s “Online Authorization,” audit endpoint configurations, and adopt layered defenses against ransomware. As Babuk variants proliferate via leaked source code, proactive mitigation remains the cornerstone of cyber resilience.
References
For detailed forensic methodologies and vendor advisories, consult Aon’s Stroz Friedberg report and SentinelOne’s mitigation guide.
Very interesting article, I know I can't b the only 1 nerding out over this stuff?