Babuk Ransomware Deployed After SentinelOne Agent Termination via MSI Interrupt

A method to bypass SentinelOne’s Endpoint Detection and Response (EDR) protection by exploiting the upgrade and downgrade process of the agent was identified by Aon’s Stroz Friedberg Incident Response team. The bypass enabled threat actors with local administrator privileges to disable SentinelOne’s anti-tamper protections without the required authentication code, resulting in an unprotected endpoint. This lapse allowed for the deployment of Babuk ransomware in a confirmed intrusion. Remediation guidance, according to both SentinelOne and Stroz Friedberg, urges the usage of SentinelOne's “‘Online authorization’ feature which removes the ability to perform local upgrades and downgrades and can be found in the Sentinels Policy menu in the management console. At the time of Stroz Friedberg’s investigation and testing, this option was not enabled by default.” SentinelOne has since provided updated guidance and engaged in coordinated disclosure efforts to inform other EDR vendors of the observed bypass method.

Stroz Friedberg’s investigation revealed that the bypass relies on interrupting the upgrade process of the SentinelOne agent. The forensic review of a compromised server uncovered the presence of multiple legitimate SentinelOne installer files (e.g., .exe and .msi) with version discrepancies. Event logs, such as C:\Windows\System32\winevt\Logs\Application.evtx, showed EventID 1042 entries from MsiInstaller indicating abnormal installer termination. Additional artifacts included EventID 1 reflecting product version changes and EventID 93 signaling command-type unload events in SentinelOne’s operational log. In testing, Stroz Friedberg confirmed that initiating an upgrade resulted in the termination of all existing SentinelOne processes, creating a brief window—about 55 seconds—during which no agent was active. By executing a "taskkill" command on the "msiexec.exe" process during this window, the agent installation was halted, leaving the host unmonitored.

Testing was performed on a Windows Server 2022 system running SentinelOne version 23.4.6.223, although Stroz Friedberg confirmed the bypass was effective across multiple agent versions. The manipulated upgrade process, once interrupted, led to the host appearing offline in the SentinelOne management console, confirming the system was no longer under active protection. Stroz Friedberg did not identify any use of malicious or vulnerable drivers, supporting the conclusion that the attack leveraged only legitimate installer behavior. SentinelOne has since addressed the issue by promoting the use of “Local Upgrade Authorization,” which requires authentication through the management console before agent upgrades are permitted. SentinelOne has enabled this feature by default for new customers and reissued updated guidance to existing clients. The remediation steps have been verified through additional testing by Stroz Friedberg.