Protection Against Local Upgrade Technique Described in Aon Research
SentinelOne合作伙伴Aon的研究团队发现了一种可能影响其Windows代理的本地绕过技术,并于2025年1月中旬向SentinelOne报告。SentinelOne迅速发布更新并指导客户使用新的Local Upgrade Authorization功能以防止此类攻击。该技术要求攻击者具备本地管理员权限和SentinelOne签名安装程序。此外,SentinelOne与其他EDR供应商分享了这一研究,并进一步加强了安全措施。 2025-5-6 15:50:12 Author: www.sentinelone.com(查看原文) 阅读量:17 收藏

A research team at SentinelOne’s partner, Aon (Stroz Friedberg) published research this week that discussed a local bypass technique that had the potential to impact SentinelOne’s Windows agent. These researchers first contacted SentinelOne in mid-January 2025 to share the issue. Upon being contacted by Stroz’s researchers, we immediately issued an update that prevents such techniques and communicated guidance to all of our customers regarding the new Local Upgrade Authorization toggle switch and how to protect against this type of local bypass attempt.

As Stroz themselves have reported, the technique described in the research requires an attacker to have a local administrator account on the machine they’re attempting to compromise and access to a SentinelOne-signed installer. Stroz’s researchers tested SentinelOne’s new local upgrade feature and noted its effectiveness in their blog, stating, “Stroz Friedberg performed preliminary testing surrounding this feature and was unable to perform the EDR bypass as previously described above once this option was enabled.”

SentinelOne also shared Stroz’s research with prominent EDR vendors, as the technique is one that could be applied against other endpoint protection products. While such local access poses similar threats to anti-tampering for these EDR products, at large, Stroz went on to say that they have no “knowledge of any EDR vendor, including SentinelOne, that is currently impacted by this attack when their product is properly configured.”

It’s important to note a few additional points that were not fully covered in Stroz’s original blog post.

  1. We have multiple ways to protect customers from this type of bypass.
    1. The local agent passphrase is enabled by default to prevent unauthorized agent uninstalls and can also be enabled to protect against unauthorized agent upgrades.
    2. We also offer a Local Upgrade Authorization feature to ensure upgrades are authenticated through the SentinelOne console, which is the recommended method to protect against this bypass. SentinelOne customers can access information about this feature here (password-protected site).
  2. If a customer has enabled 1a or 1b, they are fully protected from this bypass.
  3. This local upgrade protection configuration is not enabled by default for existing customers to ensure continuity of operations with existing deployment and upgrade workflows, notably in third-party tools, such as System Center Configuration Manager.

Additional steps we’re taking to help customers protect against this technique:

  • Today, we are further upgrading these security measures by enabling the Local Update Authorization feature by default for all new customers.
  • Additionally, we have updated customer communications reinforcing the guidance sent in January.

We’d like to thank the team at Stroz Friedberg for their partnership in helping to protect customers from this type of technique.

Singularity™ enables unfettered visibility, industry-leading detection, and autonomous response. Discover the power of AI-powered, enterprise-wide cybersecurity.

Request a Demo


文章来源: https://www.sentinelone.com/blog/protection-against-local-upgrade-technique-described-in-aon-research/
如有侵权请联系:admin#unsafe.sh