Back to Intelligence

Gentlemen RaaS: Detecting and Blocking Multi-Vector EDR Killer Toolsets

SA
Security Arsenal Team
June 19, 2026
6 min read

The threat landscape has escalated with the emergence of the "Gentlemen" encryption-based incident, a Ransomware-as-a-Service (RaaS) operation that is aggressively prioritizing defense evasion. Unlike commodity ransomware that relies purely on encryption, the Gentlemen group is actively developing and maintaining a sophisticated suite of Endpoint Detection and Response (EDR) killers.

This is a critical shift in attacker behavior. By commodifying tools designed to blind security monitoring, Gentlemen lowers the barrier to entry for affiliates, allowing them to disable primary defenses before encryption begins. Defenders can no longer rely on the assumption that their EDR agents are immune to tampering; we must actively hunt for the precursors to defense disablement.

Technical Analysis

Affected Products and Platforms

  • Platform: Windows endpoints (primary target for EDR killer toolsets).
  • Targeted Defenses: The campaign is designed to bypass popular EDR and antivirus solutions by terminating their associated processes and drivers.

Attack Mechanism The "Gentlemen" operation supplies affiliates with a toolkit specifically engineered to evade detection. While the specific encryption payload varies, the initial access and defense evasion phase relies on "EDR killers." These tools typically operate via:

  1. Process Termination: abusing native utilities (e.g., taskkill.exe, sc.exe) or signed binaries to terminate security agent processes.
  2. Driver Manipulation: leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques or unloading kernel callbacks associated with security vendors to prevent behavior monitoring.

Exploitation Status

  • Status: Confirmed Active Exploitation. The threat actors are "actively developing and maintaining" this toolkit, indicating an ongoing campaign rather than a historical artifact.
  • Availability: These tools are distributed directly to affiliates within the RaaS ecosystem, making them accessible to a wide range of skill levels.

Detection & Response

To defend against the Gentlemen RaaS and similar EDR-killing campaigns, defenders must monitor for the specific behavioral indicators of security service termination.

SIGMA Rules

YAML
---
title: Potential EDR Killer - Security Service Termination
id: 9a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
status: experimental
description: Detects attempts to stop security-related services using sc.exe, a common tactic in EDR killer scripts.
references:
  - https://attack.mitre.org/techniques/T1562/001/
author: Security Arsenal
date: 2026/04/08
tags:
  - attack.defense_evasion
  - attack.t1562.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_sc:
    Image|endswith: '\sc.exe'
    CommandLine|contains: ' stop '
  selection_keywords:
    CommandLine|contains:
      - 'security'
      - 'defend'
      - 'sense'
      - 'agent'
      - 'endpoint'
      - 'crowd'
      - 'sentinel'
      - 'sophos'
      - 'tamper'
  condition: all of selection_*
falsepositives:
  - Legitimate administrator restarting security services (rare)
level: high
---
title: Potential EDR Killer - Process Termination Utility
id: b4c5d6e7-f8g9-h0i1-j2k3-l4m5n6o7p8q9
status: experimental
description: Detects the use of taskkill.exe to forcibly terminate processes, commonly used by EDR killers to disable agents.
references:
  - https://attack.mitre.org/techniques/T1562.001/
author: Security Arsenal
date: 2026/04/08
tags:
  - attack.defense_evasion
  - attack.t1562.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\taskkill.exe'
    CommandLine|contains:
      - '/f'
      - '/im'
  filter_generic:
    # This rule requires tuning based on environment, but we look for usage against common agent paths
    CommandLine|contains:
      - '.exe'
  condition: selection and not filter_generic # Placeholder: refine by excluding legitimate IT tools
falsepositives:
  - Helpdesk technicians terminating hung applications
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious service stop commands and process termination attempts
// Context: Gentlemen RaaS EDR Killer activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("sc.exe", "taskkill.exe", "net.exe", "net1.exe")
| where ProcessCommandLine has_any ("stop", "delete", "/f", "/im")
| where ProcessCommandLine has_any ("Defend", "Sense", "Agent", "CrowdStrike", "SentinelOne", "Sophos", "WinDefend", "MsMpEng")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for process execution patterns indicative of EDR killers
-- Look for sc.exe stop or taskkill targeting security processes
SELECT Pid, Name, CommandLine, Exe, Username, StartTime
FROM pslist()
WHERE Name =~ 'sc.exe' 
   AND CommandLine =~ 'stop'
   OR Name =~ 'taskkill.exe'
   AND CommandLine =~ '/f'

-- Additionally, hunt for recently modified or loaded unsigned drivers
-- often used in BYOVD attacks associated with EDR killers
SELECT Filename, Mtime, Size, VersionInformation.CompanyName
FROM glob(globs="C:\Windows\System32\drivers\*.sys")
WHERE Mtime < now() - 24h 
   AND SigStatus = "Unsigned"

Remediation Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    Remediation Script: Audit and Restore Security Services.
.DESCRIPTION
    Checks the status of critical security services and attempts to restart them if stopped.
    Also verifies that the EDR process is active.
#>

# Define critical services to monitor (Add your specific EDR vendor service names here)
$criticalServices = @(
    "WinDefend",       # Microsoft Defender
    "Sense",           # Windows Defender Advanced Threat Protection Service
    "WdNisSvc",        # Windows Defender Antivirus Network Inspection Service
    "SecurityHealthService"
    # Add 3rd party EDR services, e.g., "CrowdStrike Falcon Sensor Service", "SentinelAgent"
)

Write-Host "[+] Initiating Security Service Audit..." -ForegroundColor Cyan

$servicesStatus = Get-Service -Name $criticalServices -ErrorAction SilentlyContinue

foreach ($service in $servicesStatus) {
    if ($service.Status -ne "Running") {
        Write-Host "[!] ALERT: Service $($service.Name) is $($service.Status). Attempting recovery..." -ForegroundColor Red
        try {
            Start-Service -Name $service.Name -ErrorAction Stop
            Write-Host "[+] SUCCESS: Service $($service.Name) restarted." -ForegroundColor Green
        }
        catch {
            Write-Host "[-] FAILURE: Could not restart $($service.Name). Manual intervention required." -ForegroundColor Red
        }
    }
    else {
        Write-Host "[OK] Service $($service.Name) is Running." -ForegroundColor Green
    }
}

# Check for presence of critical EDR processes
$processesToCheck = @("MsMpEng.exe", "SenseCncProxy.exe") # Add vendor specific processes
Write-Host "[+] Verifying EDR Process Integrity..."
Get-Process -Name $processesToCheck -ErrorAction SilentlyContinue | Select-Object ProcessName, Id, Path

Remediation

  1. Enable Tamper Protection: Ensure that "Tamper Protection" is enabled in your EDR solution. This prevents local processes (including those run by the EDR killer scripts) from stopping the security agent or modifying its registry keys. This is the single most effective control against the Gentlemen RaaS toolset.

  2. Restrict Driver Loading: Implement strict Kernel-Mode Code Signing policies via Windows Defender Application Control (WDAC) or Group Policy. Many EDR killers rely on loading vulnerable drivers (BYOVD) to disable security callbacks; blocking unsigned or untrusted drivers neutralizes this vector.

  3. Application Control: Utilize AppLocker or Windows Defender Application Control to block the execution of known abuse binaries (sc.exe, taskkill.exe) from user-writable paths or limit their usage to specific privileged admin accounts.

  4. Service Recovery Configuration: Configure critical security services (e.g., WinDefend, Sense) with "First failure" and "Second failure" recovery actions set to "Restart the Service" within the Windows Services console (services.msc). This ensures automatic resilience if the EDR killer momentarily succeeds.

  5. Incident Response Plan: If an EDR killer is detected, assume the host is compromised. Isolate the endpoint immediately and perform a full forensic triage to determine if lateral movement has occurred before the defenses were disabled.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringgentlemen-ransomwareedr-evasionransomware-as-a-serviceedr-killer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.