BleepingComputer reports that threat actors have distributed Babuk ransomware without being detected by SentinelOne's tamper protection feature using a novel "Bring Your Own Installer" EDR evasion technique.
While SentinelOne's EDR agent has been protected using an anti-tamper protection feature, such a defense mechanism could be evaded by executing a legitimate SentinelOne installer before ending the install process by force upon shutdown, a report from Aon's Stroz Friedberg Incident Response team. Attacks with the technique are also possible with new or older iterations of the agent, according to researchers. "Further testing showed that the attack was successful across multiple versions of the SentinelOne agent and was not dependent on the specific versions observed in this incident," said the report. Organizations using SentinelOne's EDR have been advised to activate "Online Authorization" within Sentinel Policy settings that would enable required SentinelOne management console approval prior to the implementation of any upgrades or uninstallations.
While SentinelOne's EDR agent has been protected using an anti-tamper protection feature, such a defense mechanism could be evaded by executing a legitimate SentinelOne installer before ending the install process by force upon shutdown, a report from Aon's Stroz Friedberg Incident Response team. Attacks with the technique are also possible with new or older iterations of the agent, according to researchers. "Further testing showed that the attack was successful across multiple versions of the SentinelOne agent and was not dependent on the specific versions observed in this incident," said the report. Organizations using SentinelOne's EDR have been advised to activate "Online Authorization" within Sentinel Policy settings that would enable required SentinelOne management console approval prior to the implementation of any upgrades or uninstallations.
