Threat Actor Bypass SentinelOne EDR to Deploy Babuk Ransomware

A new attack method, “Bring Your Own Installer,” exploits a vulnerability in SentinelOne’s agent upgrade process, allowing threat actors to disable EDR protection and deploy Babuk ransomware undetected. The technique involves using legitimate SentinelOne installers to terminate EDR processes and leave the system unprotected. SentinelOne has issued guidance to customers, advising them to enable the “Online Authorization” feature to mitigate this bypass.