GentleKiller: Countering The Gentlemen's BYOVD EDR-Bypass Attack Chain

On June 18, 2026, ESET published a comprehensive breakdown of "The Gentlemen," a ransomware-as-a-service (RaaS) operation that has aggressively matured its initial access vectors. The most alarming development is the group's deployment of "GentleKiller"—a centralized, subscription-based EDR-killing suite distributed to affiliates.

Security teams must move beyond standard ransomware playbooks. The Gentlemen do not just encrypt data; they systematically blind your defenses first. By leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques, this group renders endpoint detection and response (EDR) and antivirus solutions inert before the encryption phase begins. This post dissects the GentleKiller infrastructure and provides the necessary detection logic and hardening steps to defend against this active threat.

Technical Analysis

The Threat Actor: The Gentlemen

The Gentlemen operate as a sophisticated RaaS entity. Unlike typical operations that rely solely on phishing, they provide affiliates with a "C2-as-a-Service" model, which now includes the GentleKiller utility. This tool reflects a disturbing trend: commoditizing kernel-level bypasses for lower-tier cybercriminals.

The Weapon: GentleKiller & BYOVD

GentleKiller is not a novel exploit but a weaponized implementation of the BYOVD technique. The attack chain typically follows this pattern:

1. Initial Access: Affiliates gain footholds via compromised credentials or phishing.
2. Deployment: The GentleKiller suite is dropped onto the victim's endpoint.
3. Driver Loading: The tool loads a legitimate, signed driver that contains a known vulnerability (often related to arbitrary read/write or IOCTL misuse).
4. Kernel Exploitation: The attacker exploits the vulnerable driver to gain kernel-mode (Ring 0) privileges.
5. EDR Termination: With kernel access, GentleKiller locates the kernel callbacks and process handles of security agents, unloading them or terminating their user-mode components.
6. Ransomware Execution: With defenses disabled, the ransomware payload executes without interference.

Affected Platforms

• Windows: Primary target due to the prevalence of specific vulnerable drivers and the architecture of many EDR solutions relying on kernel drivers.
• Linux: While BYOVD is primarily a Windows concern in this context, The Gentlemen's infrastructure suggests potential cross-platform capabilities, though the GentleKiller tool focuses heavily on Windows endpoint security agents.

Exploitation Status

• Status: Confirmed Active Exploitation. ESET's analysis corroborates data from a May 2026 internal leak, confirming that the tool is currently in use in live environments.
• Vulnerability: The tool chains known vulnerabilities in legitimate drivers. While specific CVEs for the drivers were not disclosed in the summary, the technique relies on the inability of standard OS controls to block signed drivers, even when those drivers are known to be unsafe.

Detection & Response

Detecting BYOVD attacks like GentleKiller is challenging because the malicious code (the driver) is digitally signed by a legitimate certificate (e.g., a hardware vendor). Defense-in-depth is required, focusing on the context of the driver load rather than just the signature.

SIGMA Rules

These rules focus on the behavioral indicators of a BYOVD attack: a non-system process loading a kernel driver, or a driver being loaded from a suspicious user-writable path.

---
title: Potential BYOVD Activity - Driver Load from User Directory
id: 8a2b1c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects when a kernel driver is loaded from a user-writable directory (AppData, Temp, Downloads), a common tactic for BYOVD tools like GentleKiller to load malicious signed drivers.
references:
  - https://attack.mitre.org/techniques/T1068/
author: Security Arsenal
date: 2026/06/19
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: driver_load
  product: windows
detection:
  selection:
    ImageLoaded|endswith: '.sys'
  filter_paths:
    Image|contains:
      - '\\AppData\\'
      - '\\Temp\\'
      - '\\Downloads\\'
  filter_legit:
    Signed: 'false'
  condition: selection and filter_paths and not filter_legit
falsepositives:
  - Legitimate driver installs from temp directories (rare)
level: high
---
title: Suspicious Driver Load by Non-System Process
id: 9b3c2d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects kernel drivers being loaded by processes that are not standard system utilities (e.g., svchost, services, setupapi). GentleKiller often runs as a user-mode dropper to load the vulnerable driver.
references:
  - https://attack.mitre.org/techniques/T1068/
author: Security Arsenal
date: 2026/06/19
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: driver_load
  product: windows
detection:
  selection:
    ImageLoaded|endswith: '.sys'
  filter_initiators:
    Image|endswith:
      - '\\svchost.exe'
      - '\\services.exe'
      - '\\lsass.exe'
      - '\\wininit.exe'
      - '\\rundll32.exe'
      - '\\sihost.exe'
  condition: selection and not filter_initiators
falsepositives:
  - Manual driver testing by administrators
  - Specific vendor software installers
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for image load events where a kernel driver (.sys) is loaded, but the initiating process is not a standard Windows system component. This helps identify the dropper component of GentleKiller.

DeviceImageLoadEvents
| where FileName endswith ".sys"
| where InitiatingProcessFileName !in ("svchost.exe", "services.exe", "lsass.exe", "wininit.exe", "csrss.exe", "explorer.exe", "cmd.exe", "powershell.exe", "System")
| where isnotnull(Signer)
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256, Signer
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for drivers currently loaded in memory that are signed but originate from non-standard paths or have mismatched version information, a common sign of a BYOVD payload.

-- Hunt for drivers loaded from suspicious locations or with unusual signatures
SELECT 
  Name as DriverName,
  DeviceName as Device,
  ImagePath as Path,
  Company as Publisher,
  Signed as IsSigned
FROM drivers()
WHERE Path =~ "AppData" OR Path =~ "Temp" OR Path =~ "Downloads"
   OR (IsSigned AND Publisher NOT IN ("Microsoft Corporation", "Intel Corporation", "NVIDIA Corporation"))

Remediation Script (PowerShell)

The primary remediation for BYOVD is not just removing the file, but preventing the vulnerable driver from ever loading. This script enables the Microsoft Vulnerable Driver Blocklist and enforces Hypervisor-protected Code Integrity (HVCI), which significantly impedes kernel-level exploits.

# Ensure we are running as Administrator
if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
    Write-Error "Please run as Administrator."
    exit
}

Write-Host "Applying defensive hardening against BYOVD (GentleKiller)..."

# 1. Enable the Vulnerable Driver Blocklist (Requires at least Win10 1903 / Server 2022)
$RegistryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\CI\Config"
$Name = "VulnerableDriverBlocklistEnable"
$Value = 1

if (-not (Test-Path $RegistryPath)) {
    New-Item -Path $RegistryPath -Force | Out-Null
}

Set-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -Type DWord
Write-Host "[+] Vulnerable Driver Blocklist Enabled."

# 2. Check and Enable Memory Integrity (HVCI)
# Requires reboot to take effect fully
$CIPath = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
if (Test-Path $CIPath) {
    Set-ItemProperty -Path $CIPath -Name "Enabled" -Value 1 -Type DWord
    Write-Host "[+] Hypervisor-protected Code Integrity (HVCI) Enabled. Reboot required."
} else {
    Write-Host "[!] HVCI registry path not found. Ensure hardware supports virtualization-based security."
}

Write-Host "Hardening complete. A system reboot is required to finalize changes."

Remediation

Immediate Actions

1. Isolate Affected Hosts: If GentleKiller is detected, assume the EDR is disabled. Isolate the machine from the network physically or via VLAN switching immediately to prevent lateral movement.
2. Identify the Driver: Use the VQL script above to identify the specific .sys file loaded by GentleKiller. Check the hash against your threat intelligence platform to determine the specific vulnerability being abused.
3. Block the Driver: Add the specific driver hash to the Windows Driver Blocklist via Group Policy or Intune.

Long-Term Defenses

1. Enable Vulnerable Driver Blocklist: As shown in the script above, ensure VulnerableDriverBlocklistEnable is set to 1 across the enterprise. Microsoft updates this list frequently to include known abused drivers.
2. Enforce Kernel-Mode Code Signing: Ensure policies are in place to prevent the loading of unsigned drivers or drivers signed by untrusted certificates.
3. Hypervisor-Protected Code Integrity (HVCI): Enable HVCI (Memory Integrity) on all supported endpoints. This creates a virtualization-based barrier that makes exploiting kernel drivers significantly harder, effectively neutering many BYOVD attempts.
4. Reduce Local Admin Privileges: BYOVD tools often require Administrator privileges to load drivers. Strictly enforcing Least Privilege prevents the initial dropper from executing the driver load.
5. Monitor for EDR Tampering: Configure detection rules to look for service stops in security agents (e.g., stopping the "SentinelAgent" or "WinDefend" services) directly via sc.exe or taskkill.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub