Threat Actor Bypasses SentinelOne EDR to Deploy Babuk Ransomware Payload

Published Date: May 8, 2025
Category: ShadowOpsIntel
Share:

A threat actor has successfully bypassed SentinelOne Endpoint Detection and Response (EDR) solutions to deploy the Babuk ransomware. This attack showcases the ongoing evolution in EDR evasion tactics by advanced adversaries. The campaign primarily leveraged signed, vulnerable drivers and advanced obfuscation techniques to disable security tools before executing ransomware payloads.

Severity Level: High

THREAT OVERVIEW:

  1. Technique: Bring Your Own Installer (BYOI) to downgrade SentinelOne agent
  2. EDR Disruption Tactics:
    The attacker leveraged a known, signed but vulnerable kernel drivers (SentinelOneInstaller_windows_64bit_v23_4_4_223.exe and SentinelInstaller_windows_64bit_v23_4_6_347.msi) to terminate security processes and services, effectively disabling SentinelOne EDR before deploying the ransomware.
  3. Privilege Escalation:
    The threat actor achieved local administrative access on a publicly accessible server through exploitation of a CVE in an application running on the server, enabling the deployment of the malicious driver.
  4. Loader and Payload Obfuscation:
    The Babuk payload was embedded within a heavily obfuscated loader, making detection via static or behavioral signatures more difficult.
  5. Execution Flow:
    Attack chain followed a multi-stage delivery—initial access, tool deployment for EDR evasion, then final ransomware execution.
  6. Pre-ransomware deployment:
    Evidence suggests pre-ransom reconnaissance, likely to identify high-value systems and backups before detonation.
  7. Persistence Mechanism:
    No persistent backdoors were reported; however, kernel driver usage implies potential for stealth persistence mechanisms.

AFFECTED VERSION:

SentinelOne version 23.4.6.223 and prior

Recommendations:

  1. Enable the “Online Authorization” setting immediately to mitigate the above mentioned EDR bypass.
  2. Monitor systems for unexpected SentinelOne version changes (EventID 1).
  3. Watch for multiple Product Version changes between different versions in short periods.
  4. Monitor for anomalous driver installation attempts and sudden deactivation of security services.
  5. Regularly update EDR systems and apply security patches to kernel-mode drivers.

Source:

  • https://cybersecuritynews.com/threat-actor-bypass-sentinelone-edr/
  • https://gbhackers.com/threat-actor-evades-sentinelone-edr/
  • https://www.aon.com/en/insights/cyber-labs/bring-your-own-installer-bypassing-sentinelone
  • https://www.sentinelone.com/blog/protection-against-local-upgrade-technique-described-in-aon-research/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

virustotal

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.