When Your EDR Vendor Attacks!

November 8, 2021 | 2 minute read

Florian Roth, Head of Research at Nextron Systems in Germany, received a series of alerts on Nov. 6 that had all the telltale signs of a potentially serious security breach.

PowerShell, a popular scripting language used by system administrators to automate tasks in managing operating systems, was being leveraged in a way that is commonly used by malicious actors. 

“This must be a threat or a penetration,” Roth wrote in a Twitter post that quickly went viral:

Screenshot 2021-11-08 at 13-58-00 Florian Roth ⚡️ on Twitter

But as soon as Roth finished writing that sentence, he let the Twitterverse in on a dirty little secret. Was the rogue PowerShell script a threat or a penetration test? “Nope - just a leading EDR that runs it and may use it to … well, I have no idea and think they should rewrite their crap.”

The “leading EDR” in question turns out to be SentinelOne and if the responses to Roth’s Twitter post are any indication, the problem seems to be widespread:

Screenshot 2021-11-08 at 15-09-24 picketfence on Twitter (1)

“Had a customer freak out about this recently as well,” wrote @pchobbit, a Cisco Talos Incident Response global leader. 

“We all have,” responded @notnotaspy, Founder, CEO, and CTO of @fieldeffectsoft.

In this case, SentinelOne is using an approach that belongs more in the toolkit of an attacker than an enterprise security vendor. When SentinelOne customers are forced to ignore this type of activity to avoid the false positives generated by their EDR solution, they invite attacks by actual malicious actors using this approach. 

The Problem With SentinelOne Sensor Tech

SentinelOne’s sensors force their customers to configure their systems to ignore this type of behavior, inviting attackers to use this technique against them. Well-designed EDR platforms are supposed to help analysts focus on the things that matter most by eliminating false positives. The architecture of SentinelOne’s sensor technology, however, abuses PowerShell and often results in:

    • False positives in other security tools, wasting an analyst’s time and contributing to noise which can distract them from real threats 
    • Conflicts with Digital Forensics and Incident Response (DFIR) and other security tools, as well as other customer applications leveraging Powershell for business-critical tasks  

Cybereason’s sensor is built to exceed industry standards and, as a result, experiences no negative interactions with other tools on the endpoint or in the environment. Not only is the Cybereason sensor architected to ensure the greatest system stability, but it also offers the most comprehensive prevention and the highest fidelity detections for attacks from any vector, including PowerShell.

Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about Cybereason EDR, why defenders choose Cybereason over SentinelOne, and how your organization can benefit from an operation-centric approach to security.

Cybereason Security Team
About the Author

Cybereason Security Team

The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.

All Posts by Cybereason Security Team