Bypass Record

DLL Side-Loading × SentinelOne agent (sentinelmemoryscanner.exe component)

A publicly-reported instance of DLL Side-Loading bypassing SentinelOne agent (sentinelmemoryscanner.exe component), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

SentinelOne agent (sentinelmemoryscanner.exe component)

Technique

DLL Side-Loading

MITRE ATT&CK

T1574.002

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2026-05-14

Config / version noted

Not stated

Provenance

cybersecuritynews.com
disclosed 2026-05-14 · original source · via exa

Reported as

Attackers used DLL sideloading with a legitimate signed SentinelOne binary... to load a malicious DLL... evading endpoint detection.

Mechanism

Attackers placed a legitimate signed SentinelOne executable (sentinelmemoryscanner.exe) alongside a malicious DLL (sentinelagentcore.dll) on target systems. When executed via node.exe, the signed binary sideloads the malicious DLL, which runs ChromElevator to harvest passwords, cookies, and payment data from Chromium browsers. This abuses the trust in the signed security product binary to bypass path-based and signature-based detection.

Detection & mitigation

Monitor for unexpected process creation of signed security product binaries (e.g., sentinelmemoryscanner.exe) from non-standard directories or launched by unusual parent processes like node.exe. Use application control to restrict DLL loading from untrusted paths and ensure security product binaries are only executed from their legitimate installation directories.

DLL Side-Loading has also been recorded against

eScan ESET McAfee Microsoft Xcitium Zabbix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.