126. Adversaries Bypass EDR Protection with Bring Your Own Installer Technique

Hello everyone!

Another day - another EDR bypass technique. In a recent report Aon’s Stroz Friedberg Incident Response Team identified Bring Your Own Installer technique used by a threat actor to disable to bypass SentinelOne EDR.

The adversary leveraged legitimate SentinelOne EDR installer to start the upgrade process of the agent, but interrupted it by terminating the msiexec.exe process associated with the SentinelOne version change.

If still available, we can hunt for suspicious msiexec.exe termination events, for example, via taskkill:

event_type: "processcreatewin"

AND

proc_file_name: "taskkill"

AND

cmdline: "msiexec"

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge