In a concerning revelation for enterprise security, researchers from Aon’s Stroz Friedberg Incident Response team have uncovered a new Endpoint Detection and Response (EDR) bypass technique dubbed the “Bring Your Own Installer” (BYOI) attack. The method leverages a vulnerability in the SentinelOne upgrade process to disable its tamper protection, paving the way for ransomware deployment.

Unlike traditional bypasses that use third-party tools or malicious drivers, this technique repurposes SentinelOne’s legitimate Windows installer. During a routine upgrade, the installer momentarily shuts down protection services before replacing files. Threat actors exploit this critical window by terminating the installation process mid-upgrade, effectively leaving the system unprotected.

“This is not a theoretical exploit,” said the DFIR Manager at Aon. “We’ve seen it used in the wild to deploy Babuk ransomware.”

SentinelOne includes an anti-tamper mechanism to prevent unauthorized uninstalls or service shutdowns. However, this feature fails during an upgrade process, which automatically disables the agent’s processes temporarily. Attackers who gain administrative access to a victim network—typically via known vulnerabilities—can execute this exploit by launching the SentinelOne MSI installer and terminating the msiexec.exe process after agent services are stopped but before the new version launches.

In one confirmed incident, attackers used this technique to disable EDR protections across multiple machines before executing ransomware payloads. The hosts disappeared from the SentinelOne management console shortly after the installers were forcefully terminated, according to logs reviewed by Stroz Friedberg. The flaw affects multiple agent versions and does not require the latest build to execute the attack.

In response to the disclosure, SentinelOne issued mitigation guidance in January 2025. The primary recommendation is enabling “Online Authorization” in the Sentinel Policy settings. This feature, off by default, prevents local upgrades or uninstallations unless approved through the SentinelOne management console.

Despite the advisory, many clients have yet to implement this safeguard. “Getting the word out to mitigate this bypass is the most important thing,” Ailes emphasized. To ensure broader industry protection, SentinelOne shared the findings with other EDR vendors. Palo Alto Networks confirmed its EDR products are not vulnerable to this exploit.

This discovery marks a troubling trend in cyber defense—where threat actors increasingly turn legitimate security tools into attack vectors. The SentinelOne BYOI technique is particularly dangerous as it requires no external malware or drivers and blends in with routine administrative activity.

Security professionals are urged to audit EDR configurations, enable tamper-proof upgrade controls, and monitor installer behavior to prevent similar exploits. As ransomware operations like Babuk evolve and seek creative paths to compromise, the integrity of even trusted tools must be constantly scrutinized.