On June 18, 2026, ESET released a comprehensive analysis of "The Gentlemen," a cybercrime syndicate aggressively deploying a sophisticated toolset known as "GentleKiller." This isn't just another ransomware variant; it is a centralized, commoditized "EDR-killer" suite provided to affiliates to systematically blind security operations before encryption begins.
The mechanics are alarming but clear: The Gentlemen are leveraging Bring Your Own Vulnerable Driver (BYOVD) attacks. By weaponizing specific security issues in signed drivers, they unload or terminate Endpoint Detection and Response (EDR) processes at the kernel level. For defenders, this represents a critical failure point in our visibility. If your EDR is killed before the ransomware payload executes, your ability to triage and contain is effectively zero. We need to pivot from relying solely on user-mode protection to actively hunting for the precursors of kernel-level abuse.
Technical Analysis
Threat Actor: The Gentlemen (Ransomware Affiliate Group) Toolset: GentleKiller (Centralized EDR-Killer Suite) Attack Vector: Bring Your Own Vulnerable Driver (BYOVD)
GentleKiller functions as a modern, off-the-shelf utility for defense evasion. It automates the process of identifying installed security tools and deploying a vulnerable, signed driver to exploit the kernel. The attack chain typically follows this pattern:
- Initial Access: Obtained via standard vectors (phishing, exposed RDP, or valid credentials).
- Deployment: The "GentleKiller" user-mode component is dropped and executed.
- Privilege Escalation: The suite attempts to gain SYSTEM or Administrator privileges to load drivers.
- Driver Loading: A legitimate, yet vulnerable, signed driver (often masquerading or an old version) is loaded into the kernel.
- EDR Termination: The tool communicates with the loaded driver to leverage a vulnerability (often a memory read/write primitive) to kill the protected processes of security agents (e.g., EDR services, AV processes).
- Payload Execution: With defenses blind, the ransomware encryption phase begins.
The shift here is the centralization. The Gentlemen are not developing bespoke exploits for every target; they are equipping affiliates with a "one-click" solution to neutralize major EDR vendors, lowering the barrier to entry for high-impact attacks.
Detection & Response
Detecting BYOVD attacks requires monitoring the intersection of process creation and driver loading. Since the drivers used are often legitimately signed (to pass Code Integrity checks), signature-based alerts are insufficient. We must focus on the behavior of loading drivers from untrusted locations or using administrative tools to manipulate kernel services.
SIGMA Rules
---
title: Potential Suspicious Kernel Driver Load via Service Control
id: 8f4e3d1c-6b7a-4f9e-8c2d-1a5b6c7d8e9f
status: experimental
description: Detects the creation of a kernel driver service using sc.exe, a common method in BYOVD attacks to load vulnerable drivers.
references:
- https://attack.mitre.org/techniques/T1068/
author: Security Arsenal
date: 2026/06/19
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: process_creation
product: windows
detection:
selection_sc:
Image|endswith: '\sc.exe'
selection_create:
CommandLine|contains: 'create'
selection_type:
CommandLine|contains: 'kernel'
selection_bin:
CommandLine|contains: '.sys'
condition: all of selection_*
falsepositives:
- Legitimate driver installation by administrators
level: high
---
title: Driver Loaded from User Directory
id: 9a5f2e4d-1c3b-4a8d-9e0f-2b3c4d5e6f7a
status: experimental
description: Detects the loading of kernel drivers (.sys) from user-writable directories (User Profile, AppData, Temp), which is highly suspicious for BYOVD.
references:
- https://attack.mitre.org/techniques/T1068/
author: Security Arsenal
date: 2026/06/19
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: driver_load
product: windows
detection:
selection:
ImageLoaded|endswith: '.sys'
filter_paths:
ImageLoaded|contains:
- '\Windows\System32\drivers\'
- '\Windows\SysWOW64\drivers\'
condition: selection and not filter_paths
falsepositives:
- Rare legitimate software installation
level: critical
KQL (Microsoft Sentinel / Defender)
// Hunt for processes creating kernel services, specifically sc.exe or PowerShell creating services
let SuspiciousServiceCreation =
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName in~ ('sc.exe', 'powershell.exe', 'cmd.exe') or ProcessVersionInfoOriginalFileName in~ ('sc.exe', 'powershell.exe'))
| where ProcessCommandLine has 'create' and (ProcessCommandLine has 'kernel' or ProcessCommandLine has '.sys')
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine;
// Hunt for driver loads from suspicious locations (Sysmon Event 6 equivalent in Defender)
let SuspiciousDriverLoad =
DeviceImageLoadEvents
| where Timestamp > ago(7d)
| where FileName endswith ".sys"
| where FolderPath !contains @"C:\Windows\System32\drivers\" and FolderPath !contains @"C:\Windows\SysWOW64\drivers\"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, Signed;
// Union and correlate
union SuspiciousServiceCreation, SuspiciousDriverLoad
| summarize count() by DeviceName, bin(Timestamp, 1h)
| where count_ > 0
| order by count_ desc
Velociraptor VQL
-- Hunt for loaded drivers that are not in the standard system paths
SELECT Name, Description, Company, Signed, LoadTime, DeviceName
FROM drivers()
WHERE Name =~ "\.sys"
AND NOT DeviceName =~ "^C:\\Windows\\System32\\drivers\\.*"
AND NOT DeviceName =~ "^C:\\Windows\\SysWOW64\\drivers\\.*"
-- Add specific checks for known vulnerable drivers if indicators become available
Remediation Script (PowerShell)
This script enables the Microsoft Vulnerable Driver Blocklist, a critical defense against BYOVD attacks, and verifies the configuration.
# Enable the Vulnerable Driver Blocklist to mitigate BYOVD attacks
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\CI\Config"
$name = "VulnerableDriverBlocklistEnable"
$value = 1
if (-not (Test-Path $registryPath)) {
New-Item -Path $registryPath -Force | Out-Null
}
$currentValue = (Get-ItemProperty -Path $registryPath -Name $name -ErrorAction SilentlyContinue).$name
if ($currentValue -ne $value) {
Set-ItemProperty -Path $registryPath -Name $name -Value $value -Type DWord
Write-Host "SUCCESS: Vulnerable Driver Blocklist has been enabled." -ForegroundColor Green
} else {
Write-Host "INFO: Vulnerable Driver Blocklist is already enabled." -ForegroundColor Cyan
}
# Ensure Driver Signature Enforcement is strictly enforced (Prevents OS test signing from being abused)
$ciPath = "HKLM:\SYSTEM\CurrentControlSet\Control\CI"
if ((Get-ItemProperty -Path $ciPath).Policy -ne 0) {
# Note: Changing CI Policy usually requires reboot and can be disruptive.
# This script focuses on the Blocklist which is safer to apply immediately.
Write-Host "WARNING: Please verify Code Integrity Policies ensure only signed drivers load." -ForegroundColor Yellow
}
Remediation
- Enable Vulnerable Driver Blocklist: Immediately apply the Microsoft Vulnerable Driver Blocklist (via the PowerShell script above or Intune). This is the most effective immediate control against known BYOVD drivers.
- Restrict Driver Loading: Implement "Driver Signature Enforcement" strictly. Use Windows Defender Application Control (WDAC) policies to create an allow-list of approved drivers. This prevents the loading of the abused vulnerable drivers even if they are technically signed.
- Least Privilege: The GentleKiller suite requires Administrator privileges to load drivers. Ensure local admin rights are stripped from standard users and strictly managed for IT staff via Just-In-Time (JIT) elevation.
- Hunt for "GentleKiller": While specific IOCs for this tool may evolve, search your endpoints for any unsigned executables or scripts named "GentleKiller" or variations in AppData or Temp directories.
- Patch Management: While BYOVD relies on old driver bugs, ensuring your OS and EDR software are fully updated is critical. Vendors often release kernel-level callbacks that are harder to terminate than standard user-mode processes.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.