Home > Security > Security News

Attackers Bypass SentinelOne EDR Using ‘Bring Your Own Installer’ Technique

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

A loophole in the SentinelOne Endpoint Detection and Response (EDR) system was discovered, which threat actors can manipulate during SentinelOne’s agent upgrade or downgrade process to disable protection on targeted systems and leave endpoints vulnerable.

Dubbed the "Bring Your Own Installer" technique, this attack leverages a significant oversight in the SentinelOne EDR process, Aon’s Stroz Friedberg Incident Response Services (“Stroz Friedberg”) recently reported.

The vulnerability emerges during an agent version update or downgrade when SentinelOne processes are temporarily terminated. By precisely timing and interrupting this process, attackers managed to leave systems unprotected.

Abstraction of expected SentinelOne agent version change process
Abstraction of expected SentinelOne agent version change process | Source: Aon

The threat actor uses numerous legitimate, signed versions of SentinelOne installer files to initiate updates or downgrades. During the upgrade or downgrade, all SentinelOne processes are terminated for approximately 55 seconds.

By halting the msiexec.exe process in this critical window, the upgrade process is disrupted, leaving the system without active SentinelOne protection.

Abstraction of “Bring Your Own Installer” EDR bypass
Abstraction of “Bring Your Own Installer” EDR bypass | Source: Aon

The attack method was successfully replicated in a controlled environment on a Windows 2022 server, reinforcing the validity and potential risk of such an exploit.

SentinelOne has responded to the vulnerability with mitigation recommendations for its customers. A key protective feature, “Online Authorization,” prevents local upgrades or downgrades without external validation. When enabled, this feature blocks unauthorized manipulations, effectively neutralizing the exploit.

Stroz Friedberg’s testing confirmed that enabling this security measure provides a robust line of defense, preventing the deactivation of SentinelOne's protection under this attack scenario.

Add a Comment
Related
Group of hackers in front of their computers
LockBit, Conti TTPs Leveraged by DragonForce in Latest Ransomware Attacks
Google Issues Critical Patch for Actively Exploited Android Vulnerability CVE-2025-27363 
Anonymous Hackers Deface GlobalX Airline Website Linked to US Deportation Flights
Man Charged in Scheme to Exploit Minors for Explicit Material via Snapchat, Instagram, TikTok
Israeli Messaging App Used by Former Trump Adviser Mike Waltz Hacked, Says Report
Massive Pygmalion Dark Web Shop Seizure by German Officials Exposing Drug Deals and Onion Addresses
Most Popular
Seraphina in MobLand
MobLand: Is Seraphina dead After the Episode 6 Ambush?
Group of hackers in front of their computers
LockBit, Conti TTPs Leveraged by DragonForce in Latest Ransomware Attacks
Google Issues Critical Patch for Actively Exploited Android Vulnerability CVE-2025-27363 
NCIS: Tony & Ziva
NCIS: Tony & Ziva – Everything we know About the new Spinoff, Returning cast, and Major Story Surprises
sweden law court
Swedish Court Cracks Down on Illegal IPTV Usage, Asks Telenor to Block NordicOne as Users Seek Workarounds
Highest 2 Lowest
Spike Lee and Denzel Washington’s Highest 2 Lowest: All About the film based on Kurosawa’s 1963 hit
MobLand: Is Seraphina dead After the Episode 6 Ambush?
LockBit, Conti TTPs Leveraged by DragonForce in Latest Ransomware Attacks
Google Issues Critical Patch for Actively Exploited Android Vulnerability CVE-2025-27363 
NCIS: Tony & Ziva – Everything we know About the new Spinoff, Returning cast, and Major Story Surprises
Swedish Court Cracks Down on Illegal IPTV Usage, Asks Telenor to Block NordicOne as Users Seek Workarounds
Spike Lee and Denzel Washington’s Highest 2 Lowest: All About the film based on Kurosawa’s 1963 hit

Most Popular
Seraphina in MobLand
MobLand: Is Seraphina dead After the Episode 6 Ambush?
Group of hackers in front of their computers
LockBit, Conti TTPs Leveraged by DragonForce in Latest Ransomware Attacks
Google Issues Critical Patch for Actively Exploited Android Vulnerability CVE-2025-27363 
NCIS: Tony & Ziva
NCIS: Tony & Ziva – Everything we know About the new Spinoff, Returning cast, and Major Story Surprises
sweden law court
Swedish Court Cracks Down on Illegal IPTV Usage, Asks Telenor to Block NordicOne as Users Seek Workarounds
Highest 2 Lowest
Spike Lee and Denzel Washington’s Highest 2 Lowest: All About the film based on Kurosawa’s 1963 hit
MobLand: Is Seraphina dead After the Episode 6 Ambush?
LockBit, Conti TTPs Leveraged by DragonForce in Latest Ransomware Attacks
Google Issues Critical Patch for Actively Exploited Android Vulnerability CVE-2025-27363 
NCIS: Tony & Ziva – Everything we know About the new Spinoff, Returning cast, and Major Story Surprises
Swedish Court Cracks Down on Illegal IPTV Usage, Asks Telenor to Block NordicOne as Users Seek Workarounds
Spike Lee and Denzel Washington’s Highest 2 Lowest: All About the film based on Kurosawa’s 1963 hit

TechNadu keeps you informed with the latest in cybersecurity, VPNs, streaming, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: