// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE INT-25DTG 0600Z
ColdRecon / Competitor Intel / SentinelOne
Endpoint Security Vendor

SentinelOne

25 PUBLIC SECURITY EVENTS ON FILE · 2023-05-31 — 2026-05-14

Publicly-known security events concerning SentinelOne — CVEs, advisories, and incidents drawn from open-source reporting. Every item links to its original source.

Category

What SentinelOne sells

EDR is agent-based endpoint tooling that monitors process/file/network activity, detects malicious behavior, and enables response. It is detection-led by design: it observes and acts after code executes. Its efficacy depends on recognizing a threat, so novel/zero-day techniques are a window of exposure until detected.

SOURCE · ColdRecon Reference

SentinelOne competes in the endpoint-security category. ColdRecon publishes only the factual public record below — no competitive analysis or positioning.

The Public Record

Recent security events

On file: 10 incidents · 2 vendor announcements · 12 research pocs · 1 vuln disclosure.

2026-05-14
incident
Seedworm APT Uses Signed SentinelOne Binary for DLL Sideloading in Global Espionage CampaignSeedworm DLL Sideloading via SentinelOne Binary
The Iran-linked Seedworm (MuddyWater) APT group conducted a global espionage campaign in early 2026, targeting at least nine organizations across multiple sectors. The attackers used DLL sideloading with a legitimate signed SentinelOne binary (sentinelmemoryscanner.exe) to load a malicious DLL (sentinelagentcore.dll), evading endpoint detection. The malicious DLL deployed ChromElevator to steal browser credentials, with the attack chain driven by a Node.js script.
2026-05-13
vendor announcement
SentinelOne Windows Agent Installer Updated to Mitigate BYOI Bypass AttacksSentinelOne Guardian installer security hardening
SentinelOne has updated its Windows agent installer as part of the Guardian installer / SentinelInstallerDriver security hardening initiative. The change improves protection around installer and upgrade workflows and aims to reduce exposure to Bring Your Own Installer (BYOI) bypass attacks.
2026-03-27
research poc
Ridge IT Cyber MDR Testing Shows EDR Bypass RatesEDR Bypass Testing by Ridge IT Cyber
Ridge IT Cyber conducted testing of managed endpoint security solutions, finding that CrowdStrike was bypassed after 3 months while all other tested EDR platforms were bypassed within 3 days. SentinelOne blocked approximately 30% of threat samples. The results highlight varying effectiveness of EDR solutions against advanced threats.
2026-03-24
incident
HwAudKiller BYOVD Campaign Exploits Huawei Audio Driver to Terminate EDR ProcessesHwAudKiller
A malvertising campaign since January 2026 uses fraudulent Google ads to deliver a kernel-mode EDR terminator named HwAudKiller. It exploits a previously undocumented vulnerability in the signed Huawei driver HWAuidoOs2Ec.sys to terminate 23 security products from ring-0, bypassing user-mode protections. The campaign has compromised over 60 victims, enabling credential theft and lateral movement.
2026-02-24
research poc
Doppelganger LSASS Cloning Technique Evades EDR ProtectionsDoppelganger
Security researcher Andrea Varischio developed Doppelganger, a proof-of-concept tool that clones the LSASS process to extract credentials without touching the protected original. The technique bypasses EDR hooks, PPL, and monitoring by operating on a copy, leveraging BYOVD to disable PPL in kernel memory. This matters because it demonstrates a novel evasion method against modern EDRs that protect LSASS.
2025-12-07
research poc
CLR-Unhook Tool Restores Original nLoadImage to Bypass EDR .NET Assembly ScanningCLR-Unhook
A new proof-of-concept tool named CLR-Unhook removes security product hooks from the nLoadImage function in clr.dll, restoring the original CLR behavior. This allows in-memory .NET assembly loads via Assembly.Load(byte[]) to execute without EDR inspection or scanning, bypassing products like CrowdStrike, Bitdefender, and SentinelOne.
2025-11-17
research poc
SilentButDeadly: WFP-Based Network Blocker Evades EDR and AVSilentButDeadly
A new proof-of-concept tool, SilentButDeadly, uses Windows Filtering Platform (WFP) dynamic sessions to block network communication of EDR and AV processes, neutralizing their cloud-dependent security functions. It requires administrator privileges and targets processes like SentinelOne and Windows Defender, preventing telemetry, updates, and remote management. The technique minimizes forensic artifacts by cleaning up filters on exit.
2025-08-28
research poc
WDAC Policies Used to Disable EDR Agents in the WildWDAC-EDR-Block
Research details how Windows Defender Application Control (WDAC) policies are being used by threat actors to block endpoint detection and response (EDR) agents. Multiple malware families, including Krueger and a new variant named DreamDemon, have been observed deploying WDAC policies that prevent EDR components from loading. The technique remains effective against many EDR products, with limited preventive capabilities from vendors.
2025-08-07
incident
HeartCrypt Packer-as-a-Service Used by Multiple Ransomware Groups to Disable Endpoint SecurityHeartCrypt
Sophos X-Ops uncovered HeartCrypt, a packer-as-a-service derived from EDRKillShifter, being used by at least eight ransomware groups to disable EDR and AV products before deploying ransomware. The tool injects malicious code into signed executables and uses BYOVD to load a kernel driver that terminates security processes. This represents a significant escalation in ransomware tactics through cybercrime-as-a-service.
2025-07-13
research poc
PhantomLoad: Stealthy Fileless Shellcode Loader with EDR/AV Evasion ReleasedPhantomLoad
PhantomLoad is a newly released open-source, fileless shellcode loader designed for red team operations. It implements multiple evasion techniques including syscall unhooking, ETW patching, AMSI bypass, and PPID spoofing to bypass endpoint security products. The tool supports payloads from Cobalt Strike, Meterpreter, and BruteRatel, and is explicitly stated to bypass Defender, CrowdStrike, and SentinelOne.
2025-06-10
incident
Chinese Cyberespionage Groups Target SentinelOne in ShadowPad and PurpleHaze CampaignsShadowPad and PurpleHaze campaigns targeting SentinelOne
SentinelLABS reported that China-nexus threat actors conducted reconnaissance against SentinelOne's internet-facing servers and compromised a third-party IT logistics firm handling employee hardware. The attackers were unsuccessful in compromising SentinelOne itself. The campaigns, involving ShadowPad and PurpleHaze clusters, targeted over 70 organizations globally using techniques like DLL hijacking, obfuscation, and custom backdoors.
2025-05-30
incident
Conti Ransomware Gang Leaks Internal EDR Evasion Tier ListConti EDR Tier List Leak
The Conti ransomware group leaked an internal ranking of endpoint detection and response (EDR) products based on their ease of bypass during real-world attacks. The list places Microsoft Defender for Endpoint, McAfee, and Webroot in the lowest tier, while CrowdStrike is ranked highest. The leak highlights that even top-tier EDRs can be evaded, especially when poorly configured, and underscores the importance of defense-in-depth and proper security tool configuration.
2025-05-29
incident
SentinelOne Global Service Interruption Due to Infrastructure Control System FlawSentinelOne Global Service Interruption May 2025
On May 29, 2025, SentinelOne experienced a global service disruption caused by a software flaw in an outgoing infrastructure control system that deleted critical network routes. Customer endpoints remained protected, but the management console and related services were unavailable, impacting security operations. The incident was not security-related and did not affect Federal GovCloud environments.
2025-05-06
vendor announcement
SentinelOne Announces Protection Against Local Agent Upgrade Bypass TechniqueLocal Upgrade Bypass (BYOI)
Aon (Stroz Friedberg) disclosed a local bypass technique that could affect SentinelOne's Windows agent if an attacker has local admin and a signed installer. SentinelOne had already introduced a Local Upgrade Authorization feature in January 2025 to block unauthorized upgrades, and has now released a detection rule and made the feature default for new customers.
2025-02-07
research poc
Dark Web Actor Claims to Sell EDR Evasion ToolUnnamed EDR Evasion Tool
A threat actor on the dark web claims to sell a tool that bypasses EDR solutions using advanced cryptographic techniques. The tool reportedly targets CrowdStrike, Sophos, SentinelOne, and FortiClient. This highlights the growing black market for EDR evasion tools.
2024-07-17
incident
Fin7's AvNeutralizer Tool Enables EDR Tampering for Ransomware GangsAvNeutralizer
SentinelOne reports that the Fin7 threat group has developed and sold a custom tool called AvNeutralizer (aka AuKill) that tampers with endpoint detection and response (EDR) solutions. The tool has been used by multiple ransomware gangs, including AvosLocker, MedusaLocker, BlackCat, and LockBit, since early 2023. AvNeutralizer leverages a previously unseen technique using the Windows TTD monitor driver ProcLaunchMon.sys and a hardened process explorer driver to cause a denial-of-service condition on affected security products.
2024-07-16
incident
Killer Ultra Malware Disables EDR/AV in Ransomware AttacksKiller Ultra
Killer Ultra malware, used in Qilin ransomware attacks, terminates endpoint security tools by exploiting a vulnerable Zemana AntiLogger driver (CVE-2024-1853). It also clears Windows Event Logs and contains inactive post-exploitation capabilities. The malware targets Symantec, Microsoft Defender, and SentinelOne.
2024-03-22
research poc
HookChain EDR Evasion Framework ReleasedHookChain
A new open-source evasion framework named HookChain has been published, designed to bypass Endpoint Detection and Response (EDR) solutions. It uses IAT hooking, dynamic system service number resolution, and indirect system calls to hide malicious payloads. The tool claims to evade detection by several major EDR products.
2024-02-12
research poc
SentinelOne EDR Bypass Using .NET Loader with AMSI and ETW HookingSentinelOne .NET Loader Bypass
A researcher demonstrated a proof-of-concept bypass of SentinelOne EDR by using a custom .NET loader to execute Rubeus. The loader employed evasion techniques including AMSI and ETW hooking via hardware breakpoints and AES encryption. This allowed subsequent Kerberos constrained delegation abuse to impersonate a Domain Administrator.
2023-12-06
research poc
Pool Party Process Injection Techniques Bypass Major EDR SolutionsPool Party
SafeBreach researchers presented eight new process injection techniques called Pool Party at Black Hat Europe 2023. These techniques abuse Windows thread pools and worker factories to execute malicious code, achieving 100% bypass against five leading EDR products. The methods are more flexible than existing techniques and fully undetectable in tests.
2023-09-13
vuln disclosure
ALPC Port Blocking Vulnerability Affects Multiple Windows EDR AgentsCVE-2023-3280
A denial-of-service vulnerability in multiple Windows EDR products allows a low-privileged user to permanently disable the agent after a reboot by preemptively registering an ALPC port name used by the EDR. The affected EDRs fail to handle the case where the port is already in use, causing user-mode components to crash or become non-functional. Kernel components remain running but lose detection/blocking capabilities in most cases.
2023-06-01
research poc
New malware tool claims to terminate multiple EDR and antivirus agentsEDR-Terminator
A video and Reddit post surfaced on May 28, 2023, showing an executable that allegedly disables tamper protection and terminates the on-premise agents of numerous endpoint security products. The tool claims to work against vendors including CrowdStrike, SentinelOne, Carbon Black, and Windows Defender. ThreatLocker notes that its application allowlisting would block such an unknown executable from running.
2023-05-31
incident
Terminator tool uses BYOVD with Zemana driver to terminate security productsTerminator
A threat actor is selling a tool called Terminator that uses a Bring Your Own Vulnerable Driver (BYOVD) attack to terminate antivirus, EDR, and XDR processes. The tool drops a legitimate but vulnerable Zemana anti-malware driver (zamguard64.sys or zam64.sys) to gain kernel-level privileges and kill security software user-mode processes. CrowdStrike confirmed the technique is a BYOVD attack, not a novel bypass.
Every event on this page is a record in ColdRecon's canonical set, drawn from public reporting and linked to its source above. ColdRecon monitors open-source signal only; it publishes no non-public or customer information.

SentinelOne ships. Your prospect reads the headline. Do you?

ColdRecon turns this signal into one short daily brief, written from the seller's seat — what changed, why it matters to your deals, how to position. Request clearance and the first lands tomorrow at 0600.

Request Clearance →