126. Adversaries Bypass EDR Protection with Bring Your Own Installer Technique
Hello everyone!
Another day - another EDR bypass technique. In a recent report Aon’s Stroz Friedberg Incident Response Team identified Bring Your Own Installer technique used by a threat actor to disable to bypass SentinelOne EDR.
The adversary leveraged legitimate SentinelOne EDR installer to start the upgrade process of the agent, but interrupted it by terminating the msiexec.exe process associated with the SentinelOne version change.
If still available, we can hunt for suspicious msiexec.exe termination events, for example, via taskkill:
event_type: "processcreatewin"
AND
proc_file_name: "taskkill"
AND
cmdline: "msiexec"
See you tomorrow!
Comments
Post a Comment