A newly discovered technique targeting SentinelOne EDR is raising red flags across the cybersecurity community. As detailed in a recent Dark Reading article, attackers are leveraging a “Bring Your Own Installer” (BYOI) attack to bypass endpoint detection and response tools by exploiting trusted applications.
This method exposes a broader vulnerability in the "detect and respond" security paradigm — a model that continues to fall short against stealthy, evasive malware techniques.
This latest attack illustrates a growing trend: adversaries aren’t just exploiting zero-day vulnerabilities or brute-forcing their way through defenses — they’re using the system’s own trusted tools against itself. The BYOI tactic allows attackers to sidestep security controls by piggybacking on legitimate installers that EDR tools trust, effectively rendering these tools blind to the malicious payload being deployed.
How the Attack Works
Researchers from Mandiant uncovered that threat actors were using legitimate software installers as vehicles to sideload malicious DLLs, exploiting the fact that these signed installers are typically trusted by EDR tools like SentinelOne. Once these malicious DLLs are loaded during the installation process, they gain execution privileges without triggering alarms. Since EDR solutions often whitelist these processes, the malicious code slips by undetected and unchallenged.
This technique is a variant of the more broadly known “Bring Your Own Vulnerable Driver” (BYOVD) approach, which has been increasingly weaponized by cybercriminals in recent years. What makes this instance particularly alarming is that the attack bypassed one of the leading commercial EDR solutions in use today — further proving that detection-based models alone can no longer keep up with sophisticated threats.
Why ‘Detect and Respond’ Is No Longer Enough
Security tools like SentinelOne, CrowdStrike, and others operate on the assumption that threats can be accurately detected in real time and then quickly mitigated. But in reality, adversaries have become experts at slipping past detection — using fileless malware, encryption, and now BYOI techniques to disguise their activities.
This approach creates a dangerous gap: once a threat is inside, it’s often too late to prevent damage. The delay between detection and response — even if it’s seconds — provides attackers with just enough time to execute code, exfiltrate data, or disable security tools entirely.
When attackers are using trusted software against you, it becomes increasingly difficult to detect the difference between legitimate and malicious behavior. That's why it's critical to shift to a model that doesn’t rely on detection at all.
Isolation and Containment: The New Cybersecurity Imperative
AppGuard provides a fundamentally different approach to endpoint protection. Rather than attempting to detect threats, AppGuard prevents them from executing in the first place — even if they’re embedded in a trusted process.
AppGuard applies patented isolation and containment technology that ensures untrusted processes (even those hiding inside legitimate applications) can’t make harmful changes or propagate laterally. This zero-trust execution model stops malicious code before it ever gets the chance to act, closing the gap that attackers exploit with BYOI and similar methods.
Even if a malicious DLL is sideloaded via a trusted installer, AppGuard stops it from doing any harm — because containment is enforced at the process level. Unlike EDR tools that react after detecting suspicious behavior, AppGuard simply doesn’t allow such behavior to begin.
Why Businesses Should Act Now
The SentinelOne bypass should serve as a wake-up call to business owners and IT leaders. Attackers are outpacing traditional defenses by innovating faster than detection engines can update. BYOI is just the latest example of how even the best EDR tools are being gamed.
It’s time to shift from the outdated model of “detect and respond” to a proven strategy of “isolation and containment.” AppGuard has spent over a decade perfecting this approach, delivering consistent protection in environments where detection tools have failed. Now available for commercial use, it offers businesses a robust, lightweight defense against today's most sophisticated threats.
Let’s Talk
If you're ready to break free from the endless cycle of chasing threats after they’ve already gotten in, talk with us at CHIPS about how AppGuard can help. We'll show you how isolation and containment can prevent the types of attacks that bypass even the most advanced EDR systems.
AppGuard doesn’t just detect threats — it stops them cold.
Like this article? Please share it with others!
Comments