GentleKiller Framework: Detecting and Defending Against The Gentlemen RaaS EDR Attacks

The threat landscape has shifted once again as we enter the second half of 2026. We are tracking a concerning development in the Ransomware-as-a-Service (RaaS) ecosystem known as "The Gentlemen." Unlike typical operations that focus solely on encryption speed, this group has prioritized disabling endpoint visibility through a sophisticated suite of tools they call "GentleKiller."

The Gentlemen RaaS is not just selling encryptors; they are arming affiliates with a mature portfolio of EDR-killing utilities designed to impair system defenses before the ransomware payload executes. By targeting over 400 distinct security processes, this framework aims to blind SOC teams, rendering standard detection mechanisms useless. For defenders, this means the standard "assume breach" posture must evolve to include rigorous validation of EDR integrity and the hunting for defense-evasion precursors.

Technical Analysis

The Threat Actor: The Gentlemen RaaS The Gentlemen represents a mature, service-oriented cybercrime operation. Their recent activity highlights a focus on operational security and maximizing success rates for their affiliates by neutralizing the primary obstacle: Endpoint Detection and Response (EDR) solutions.

The Mechanism: GentleKiller Framework At the heart of this operation is the GentleKiller framework. This is not a single exploit but a modularized toolkit specifically designed to identify and terminate security agents.

• Target Scope: The framework targets approximately 400 security processes. While the full list is dynamic, it encompasses a wide array of vendors, including CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Trellix, and Elastic, among others.
• Technique: The framework likely employs a combination of methods to achieve termination:
  • Direct Process Termination: Using Windows API calls (e.g., TerminateProcess) or command-line utilities like taskkill.
  • Service Stopping: Leveraging sc.exe or net.exe to halt the background services that power EDR agents.
  • Driver Unloading/Abuse: While not explicitly detailed in the initial reporting, frameworks of this magnitude often incorporate Bring Your Own Vulnerable Driver (BYOVD) techniques to disable kernel-level protections or unload kernel drivers responsible for self-protection.

Attack Chain:

1. Initial Access: Affiliates gain access via standard vectors (phishing, exposed RDP, valid credentials).
2. Defense Evasion: The GentleKiller framework is deployed. It enumerates running processes, matches them against its internal database of security vendors, and systematically terminates them.
3. Payload Deployment: Once the "eyes" of the endpoint are blinded, the Gentlemen encryptor is deployed without triggering alerts.

Exploitation Status: As of June 2026, this framework is confirmed active in the wild. It is being distributed to affiliates, suggesting a high volume of potential future victims.

Detection & Response

Detecting EDR killing activity is challenging because if the attacker succeeds, the EDR agent stops sending telemetry. Therefore, detection logic must be resilient and multi-layered, relying on OS-level logging (Sysmon, Security Event Log) and behavioral anomalies rather than solely on EDR alerts.

The following rules hunt for the common behaviors associated with mass security process termination and service manipulation.

SIGMA Rules

---
title: Potential EDR Killer Activity - Mass Process Termination
id: 9a8c7d6e-5f4b-3a2b-1c9d-0e8f7a6b5c4d
status: experimental
description: Detects attempts to terminate multiple known security-related processes via taskkill or similar utilities, indicative of EDR killer frameworks like GentleKiller.
references:
  - https://thehackernews.com/2026/06/the-gentlemen-raas-uses-gentlekiller.html
author: Security Arsenal
date: 2026/06/18
tags:
  - attack.defense_evasion
  - attack.t1562.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_utility:
    Image|endswith:
      - '\taskkill.exe'
      - '\taskmgr.exe'
      - '\powershell.exe'
      - '\cmd.exe'
  selection_keywords:
    CommandLine|contains:
      - '/F'
      - '/IM'
      - 'Stop-Process'
      - 'kill'
  selection_targets:
    CommandLine|contains:
      - 'csagent'
      - 'sentinelagent'
      - 'MsMpEng'
      - 'CBService'
      - 'carbonblack'
      - 'windefend'
      - 'elasticagent'
      - 'tamper'
  condition: selection_utility and selection_keywords and selection_targets
falsepositives:
  - Legitimate administrative troubleshooting of AV software (rare)
level: high
---
title: Suspicious Service Stop on Security Software
id: b1c2d3e4-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects attempts to stop services associated with major EDR/Antivirus vendors using sc.exe or net.exe.
references:
  - https://thehackernews.com/2026/06/the-gentlemen-raas-uses-gentlekiller.html
author: Security Arsenal
date: 2026/06/18
tags:
  - attack.defense_evasion
  - attack.t1562.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_sc:
    Image|endswith:
      - '\sc.exe'
      - '\net.exe'
      - '\net1.exe'
  selection_cmd:
    CommandLine|contains:
      - ' stop '
      - ' pause '
  selection_security_svcs:
    CommandLine|contains:
      - 'Sense'
      - 'WinDefend'
      - 'CBService'
      - 'SentinelAgent'
      - 'SavService'
      - 'bdagent'
      - 'Sophos'
      - 'F-Secure'
  condition: selection_sc and selection_cmd and selection_security_svcs
falsepositives:
  - Authorized system maintenance
level: high

KQL (Microsoft Sentinel)

This query hunts for distinct processes attempting to terminate security agents or stop their services within a short timeframe.

let ProcessList = dynamic(['csagent.exe', 'SentinelAgent.exe', 'MsMpEng.exe', 'CB.exe', 'CarbonBlack.exe', 'elasticagent.exe', 'bdagent.exe', 'fsav32.exe']);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in ('taskkill.exe', 'powershell.exe', 'cmd.exe', 'wmic.exe')
| where ProcessCommandLine has_any ('/F', '/IM', 'Stop-Process', 'terminate')
| where TargetProcessFileName in~ ProcessList
| summarize count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, InitiatingProcessFileName, TargetProcessFileName, AccountName
| order by count_ desc

Velociraptor VQL

This VQL artifact hunts for the presence of "GentleKiller" related strings in command lines or checks for the suspicious state of security services.

-- Hunt for processes attempting to terminate known security agents
SELECT 
   Pid, 
   Name, 
   CommandLine, 
   Exe, 
   Username, 
   StartTime
FROM pslist()
WHERE CommandLine =~ '(?i)(taskkill|stop-process|sc stop|net stop)'
   AND CommandLine =~ '(?i)(csagent|sentinel|windefend|cbservice|carbonblack|elastic|sophos)'

-- Complementary check: Verify if critical security services are in a Stopped state
SELECT Name, State, DisplayName, StartMode
FROM wmi(query="SELECT * FROM Win32_Service WHERE State='Stopped' AND DisplayName LIKE '%security%' OR DisplayName LIKE '%defender%' OR DisplayName LIKE '%antivirus%'")

Remediation Script (PowerShell)

This script verifies the status of common EDR services and attempts to restart them if stopped. It requires administrative privileges.

# Check and restart common EDR/Antivirus services
# Requires Admin Privileges

$ServicesToCheck = @(
    "WinDefend",      # Microsoft Defender
    "Sense",          # Advanced Threat Protection
    "WdNisSvc",       # Microsoft Defender Network Inspection
    "CBService",      # VMware Carbon Black
    "SentinelAgent",  # SentinelOne
    "Sophos MCS Agent", # Sophos
    "TamperService",  # Generic Tamper Protection
)

Write-Host "[+] Initiating EDR Service Health Check..." -ForegroundColor Cyan

foreach ($ServiceName in $ServicesToCheck) {
    $Service = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue
    
    if ($Service) {
        if ($Service.Status -ne "Running") {
            Write-Host "[!] ALERT: Service '$ServiceName' is not running (Current: $($Service.Status))." -ForegroundColor Red
            try {
                Write-Host "[*] Attempting to start '$ServiceName'..." -ForegroundColor Yellow
                Start-Service -Name $ServiceName -ErrorAction Stop
                Write-Host "[+] SUCCESS: Service '$ServiceName' started." -ForegroundColor Green
            }
            catch {
                Write-Host "[-] FAILED: Could not start '$ServiceName'. Check for persistence or tampering." -ForegroundColor DarkRed
            }
        }
        else {
            Write-Host "[+] OK: Service '$ServiceName' is running." -ForegroundColor Green
        }
    }
    else {
        Write-Host "[-] INFO: Service '$ServiceName' not found on this endpoint." -ForegroundColor Gray
    }
}

Remediation

Given that the GentleKiller framework is a toolset rather than a single vulnerability patch, remediation requires a layered approach focused on hardening and integrity:

1. Enable Tamper Protection: Ensure that Tamper Protection features within your EDR solution are enabled and strictly configured (e.g., password/passphrase protected). This is the primary defense against process termination.
2. ELAM Driver Verification: Verify that Early Launch Anti-Malware (ELAM) drivers are active and signed correctly to prevent kernel-level unloads.
3. Service Recovery Configuration: Configure all security-related services to restart immediately upon failure. This can be done via sc.exe failure <servicename> reset= 0 actions= restart/60000.
4. Hunt for Persistence: If GentleKiller has been used, assume the attacker has administrative access. Hunt for scheduled tasks, registry run keys, or services created by the attacker to maintain access.
5. User Access Control (UAC): Strictly enforce UAC and deny administrative rights from standard user accounts to prevent the execution of these tools in the first place.

Category

soc-mdr

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub