What Changed

Two new hunting queries targeting the “Gentlemen” ransomware campaign infrastructure and payload artifacts, providing detection coverage for EtherRAT and TukTuk malware leading to domain-wide ransomware deployment.

Detection Logic

Both queries utilize Microsoft Defender for Endpoint telemetry (DeviceNetworkEvents, DeviceFileEvents) with optimized KQL:

C2 Domain Connection Query:

  • Primary data source: DeviceNetworkEvents
  • Core logic: identifies outbound connections to hardcoded IOC domains using has_any pre-filter followed by parse_url() host extraction and exact in~ matching
  • Entity types mapped: Host, Account, Process, IP, URL
  • Targets Web3 gateways (1rpc.io), TryCloudflare tunnels, and abused SaaS platforms (Supabase, ClickHouse, Neon)

Payload Hash Query:

  • Primary data source: DeviceFileEvents
  • Core logic: detects file creation/modification events matching known SHA256/SHA1/MD5 hashes of trojanized MSI installers, EtherRAT scripts, and TukTuk sideloaded DLLs
  • Entity types mapped: Host, Account, Process, File, FileHash
  • Uses coalesce() for reliable hash matching across file and process contexts

MITRE Mapping

  • T1204.002: Malicious File (trojanized Sysinternals MSI files)
  • T1567.002: Exfiltration to Cloud Storage (abused SaaS platforms)
  • T1568.002: Domain Generation Algorithms (decentralized Web3 C2s)
  • T1574.002: DLL Side-Loading (malicious log4net.dll)

Campaign Context

Based on DFIR reporting, this threat actor uses a sophisticated intrusion chain:

  1. Initial Access: Trojanized MSI installers masquerading as Sysinternals tools
  2. C2 Infrastructure: Decentralized Web3 gateways, TryCloudflare tunnels, and legitimate SaaS platforms (bypasses reputation-based blocking)
  3. Payload Delivery: EtherRAT and TukTuk malware establishing persistence via DLL side-loading
  4. Final Impact: Domain-wide Gentlemen ransomware deployment

The hunting queries provide exact cryptographic and network telemetry tracking with triage-optimized output including customDetails for immediate incident response context.

Affected Files

Hunting Queries/Microsoft 365 Defender/Campaigns/TheGentlemanRansomware/GentlemanRansomwareC2DomainConnection.yaml
Hunting Queries/Microsoft 365 Defender/Campaigns/TheGentlemanRansomware/GentlemanRansomwarePayloadHashes.yaml