Protection Against Local Upgrade Technique Described in Aon Research

UPDATES:

1. This blog post has been updated for clarity and to add new related information.
2. We have since released a new detection rule that specifically targets the technique described in the post below.
3. We have also included an example query for related hunting.

A research team at Aon (Stroz Friedberg) published research this week that discussed a local bypass technique that had the potential to impact SentinelOne’s Windows agent. These researchers first contacted SentinelOne in mid-January 2025 to share the issue. Upon being contacted by Stroz’s researchers, we immediately issued an update that made it even easier to prevent against such techniques and communicated guidance (note: this is a password-protected site for SentinelOne customers only) to all of our customers regarding the new Local Upgrade Authorization toggle switch and how to use it to protect against this type of local bypass attempt.

As Stroz themselves have reported, the technique described in the research requires an attacker to have a local administrator account on the machine they’re attempting to compromise and access to a SentinelOne-signed installer. Stroz’s researchers tested SentinelOne’s new local upgrade feature and noted its effectiveness in their blog, stating, “Stroz Friedberg performed preliminary testing surrounding this feature and was unable to perform the EDR bypass as previously described above once this option was enabled.” 

SentinelOne also shared Stroz’s research with prominent EDR vendors as the technique is one that could be applied against other endpoint protection products. While such local access poses similar threats to anti-tampering for these EDR products, at large, Stroz went on to say that they have no “knowledge of any EDR vendor, including SentinelOne, that is currently impacted by this attack when their product is properly configured.”

It’s important to note a few additional points that were not fully covered in Stroz’s original blog post. Please also note that the following section has been updated for clarity and important context:

We have mitigated unapproved agent upgrades through the Local Upgrade Authorization feature, which has been available to customers since January 19, 2025. SentinelOne customers can access information about this feature in the password-protected SentinelOne documentation site here. When Local Upgrade Authorization is enabled, any attempt by a user to locally upgrade Windows agents is blocked. Customers can also optionally choose to enable local upgrades during predefined time windows.

SentinelOne also provides various types of protection for other types of bypasses:

• All agents are enabled by default with anti-tamper capabilities, such as protection against malicious drivers, defense evasions, and Bring Your Own Vulnerable Drivers (BYOVD).
• Agent passphrases are required by default for local uninstalls.

Additional notes and context:

• Local Upgrade Authorization applies exclusively to Windows agent deployments.
• This local upgrade protection configuration is not yet enabled by default for existing customers to ensure continuity of operations with existing deployment and upgrade workflows, notably with third-party tools, such as System Center Configuration Manager.

We are taking these additional steps to help customers protect against this bypass technique:

• We are now enabling the Local Update Authorization feature by default for all new customers.
• UPDATE: We have released a new Platform Detection Library rule to detect the technique outlined in Aon’s blog. The rule, titled Potential Bring Your Own Installer (BYOI) Exploitation, is now available and can be enabled from the Library tab on the Detections page in the SentinelOne console. SentinelOne customers can access information about this feature in the password-protected SentinelOne documentation site here.
• UPDATE: We are currently deploying console updates to make the Local Update Authorization feature more prominent.
• Additionally, we have updated customer communications reinforcing the guidance sent in January.
• UPDATE: The following example query can be used to hunt for any potential evidence that an attacker attempted to bypass the agent during the upgrade process.

endpoint.os = 'windows' and event.type = 'Process Creation' and ((tgt.process.name in:anycase ('tasklist.exe') or tgt.process.displayName contains 'Lists the current running tasks') or ((tgt.process.name in:anycase ('findstr.exe') or tgt.process.displayName contains 'Find String') and tgt.process.cmdline contains 'Sentinel') or (tgt.process.cmdline contains 'sentinelinstaller' or tgt.process.cmdline contains 'sentineloneinstaller'))
| limit 1600000
| let event.time = timebucket(event.time, '10 minutes')
| group count = count() , distinct_count_tgt_process_name = estimate_distinct(tgt.process.name) , list1 = array_agg_distinct(src.process.parent.cmdline) , list2 = array_agg_distinct(src.process.cmdline) , list3 = array_agg_distinct(tgt.process.cmdline) by event.time , endpoint.name , event.type
| let src_process_parent_cmdlines = array_to_string(list1,"\r\n")
| let src_process_cmdlines = array_to_string(list2,"\r\n")
| let tgt_process_cmdlines = array_to_string(list3,"\r\n")
| columns event.time , endpoint.name , count , event.type , distinct_count_tgt_process_name , src_process_parent_cmdlines , src_process_cmdlines , tgt_process_cmdlines
| filter tgt_process_cmdlines contains 'tasklist' and tgt_process_cmdlines contains 'findstr' and tgt_process_cmdlines contains 'sentinel' and tgt_process_cmdlines contains ('sentinelinstaller','sentineloneinstaller')

SentinelOne and Aon (Stroz Friedberg) have a longstanding strategic relationship focused on protecting customers by rapidly stopping and remediating threats. We’d like to thank the team at Stroz Friedberg for their collaboration in helping to protect customers from this type of technique.