A research team at SentinelOne’s partner, Aon (Stroz Friedberg) published research this week that discussed a local bypass technique that had the potential to impact SentinelOne’s Windows agent. These researchers first contacted SentinelOne in mid-January 2025 to share the issue. Upon being contacted by Stroz’s researchers, we immediately issued an update that prevents such techniques and communicated guidance to all of our customers regarding the new Local Upgrade Authorization toggle switch and how to protect against this type of local bypass attempt.
As Stroz themselves have reported, the technique described in the research requires an attacker to have a local administrator account on the machine they’re attempting to compromise and access to a SentinelOne-signed installer. Stroz’s researchers tested SentinelOne’s new local upgrade feature and noted its effectiveness in their blog, stating, “Stroz Friedberg performed preliminary testing surrounding this feature and was unable to perform the EDR bypass as previously described above once this option was enabled.”
SentinelOne also shared Stroz’s research with prominent EDR vendors, as the technique is one that could be applied against other endpoint protection products. While such local access poses similar threats to anti-tampering for these EDR products, at large, Stroz went on to say that they have no “knowledge of any EDR vendor, including SentinelOne, that is currently impacted by this attack when their product is properly configured.”
It’s important to note a few additional points that were not fully covered in Stroz’s original blog post.
Additional steps we’re taking to help customers protect against this technique:
We’d like to thank the team at Stroz Friedberg for their partnership in helping to protect customers from this type of technique.
Singularity™ enables unfettered visibility, industry-leading detection, and autonomous response. Discover the power of AI-powered, enterprise-wide cybersecurity.