← Back to Cybersecurity News Center
Severity
HIGH
CVSS
9.5
Priority
0.740
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
Check Point researchers accessed a SystemBC command-and-control server tied to The Gentlemen ransomware-as-a-service operation, revealing more than 1,570 compromised corporate networks, the vast majority never publicly disclosed. The group has operated since July 2025, targeting Windows, Linux, VMware ESXi, Hyper-V, NAS, and BSD environments across heterogeneous enterprise infrastructure. The gap between 320 publicly claimed victims and 1,570+ C2-confirmed victims indicates that most compromised organizations are in an active dwell phase, exposing them to data theft, pre-ransomware staging, and selective extortion - threats that remain hidden until deployment or extortion demand.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
The Gentlemen
TTP Sophistication
HIGH
17 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Windows, Linux, NAS, BSD, VMware ESXi, Hyper-V, Windows Defender, SMB, Group Policy (Active Directory)
Are You Exposed?
⚠
Your industry is targeted by The Gentlemen → Heightened risk
⚠
You use products/services from Windows → Assess exposure
⚠
17 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
An organization already in The Gentlemen's botnet faces active data theft and potential ransomware deployment with no prior public warning — the 1,570-victim C2 exposure shows that most compromised companies do not know they are targeted until encryption or extortion begins. A successful ransomware deployment across ESXi or Hyper-V infrastructure can simultaneously encrypt virtual machine fleets, halting business operations across multiple business units in minutes. Regulatory exposure is significant for organizations in sectors handling personal data: a dwell-phase breach that leads to data exfiltration triggers breach notification obligations under GDPR, HIPAA, and equivalent frameworks regardless of whether ransomware is ultimately deployed.
You Are Affected If
You operate internet-facing Windows Server, VMware ESXi, Hyper-V, Linux, NAS, or BSD systems without current hardening baselines applied
SMB (port 445) is reachable laterally between workstation and server network segments without host-based firewall restrictions
Windows Defender or equivalent endpoint protection is not monitored for policy tampering or unexpected disablement
Group Policy Objects are not audited for unauthorized modifications, or privileged account activity is not reviewed against a baseline
Your threat intelligence program relies on public leak site monitoring — you have no visibility into pre-extortion dwell activity or C2 botnet indicators
Board Talking Points
A ransomware group has compromised more than 1,570 corporate networks — most of those organizations do not yet know they have been breached.
Security teams should conduct an immediate hunt for SystemBC indicators across enterprise infrastructure within the next 48 hours, prioritizing virtualization and storage systems.
Organizations that take no action remain at risk of ransomware deployment or data extortion with no advance warning, given the group's demonstrated pre-extortion dwell strategy.
GDPR — pre-ransomware dwell with data exfiltration capability constitutes a personal data breach triggering Article 33 notification obligations for EU-operating organizations
HIPAA — healthcare organizations with compromised endpoints face breach notification requirements under 45 CFR §164.400 if protected health information was accessible during dwell period
PCI-DSS — cardholder data environment systems exposed to this botnet may require incident reporting and forensic investigation under PCI-DSS Requirement 12.10
Technical Analysis
The Gentlemen operates as a mature RaaS with multi-platform encryptors targeting Windows, Linux, NAS, BSD, VMware ESXi, and Hyper-V environments.
SystemBC serves as the primary C2 and proxy channel, providing encrypted SOCKS5 tunneling to mask attacker traffic, relevant to CWE-319 (cleartext transmission) and CWE-327 (broken/risky cryptographic algorithms).
The operation abuses Windows Defender (T1562.001 ) to disable defenses, uses SMB for lateral movement (T1021.002 ), and achieves persistence through Group Policy modification (T1484.001 ).
Additional MITRE techniques observed include process injection (T1055 ), lateral tool transfer (T1570 ), C2 over HTTP/S (T1071.001 ), service stop (T1489 ), inhibit system recovery (T1490 ), valid account abuse (T1078 ), PowerShell execution (T1059.001 ), data encryption for impact (T1486 ), and exploit of public-facing applications (T1190 ). CWE-693 (protection mechanism failure) reflects the Defender bypass tradecraft. No specific CVE is attributed in the primary research; ESXi and Hyper-V exploitation aligns with known hypervisor attack patterns. The 1,570-to-320 victim ratio is a critical intelligence signal indicating active pre-extortion dwell across a large portion of the botnet. Sources: Check Point Research (T3), The Hacker News (T3), Microsoft Security Blog (T1).
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to executive leadership, legal counsel, and breach notification counsel immediately if any of the following conditions are confirmed: evidence of data exfiltration prior to encryption (The Gentlemen C2 telemetry indicates staging before encryption), compromise of ESXi or Hyper-V hypervisors hosting systems that process PII, PHI, or PCI-DSS-scoped data (triggering mandatory breach notification timelines under GDPR Article 33, HIPAA §164.412, or state notification laws), active ransomware encryption detected on production systems, or the responding team lacks the capability to conduct live memory forensics on SystemBC-infected hosts.
1
Step 1: Containment, Immediately audit SystemBC indicators across your environment; block known SystemBC C2 communication patterns at the perimeter firewall and proxy. Isolate any host exhibiting outbound SOCKS5 tunneling to unrecognized external IPs. Prioritize ESXi, Hyper-V, and NAS hosts given The Gentlemen's confirmed targeting scope.
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST SC-7 (Boundary Protection)
NIST SI-4 (System Monitoring)
CIS 13.4 (Perform Traffic Filtering Between Network Segments)
CIS 4.4 (Implement and Manage a Firewall on Servers)
Compensating Control
On pfSense or iptables-managed perimeters, block outbound TCP 1080 (SOCKS5 default) and flag any non-standard high-port SOCKS5 negotiation: `iptables -A OUTPUT -p tcp --dport 1080 -j DROP && iptables -A OUTPUT -p tcp --dport 4000:9999 -m state --state NEW -j LOG --log-prefix 'SOCKS5-SUSPECT'`. For ESXi hosts, use `esxcli network firewall ruleset set --enabled=false --ruleset-id=sshServer` to disable unnecessary remote access immediately. Run Wireshark or tcpdump on perimeter tap with filter `tcp port 1080 or (tcp[13]=2 and tcp[12]=0x50)` to catch active SOCKS5 handshakes in flight. For NAS isolation, disable SMB shares and remote admin interfaces at the switch port level if host-level access is unavailable.
Preserve Evidence
Before isolating any host, capture full memory with WinPmem or Magnet RAM Capture on Windows endpoints — SystemBC runs as a reflectively-loaded implant and its configuration (C2 IP:port pairs, encryption keys) exists only in process memory. On ESXi, run `vm-support -s` to capture a diagnostic bundle including vmkernel logs and active network connections before pulling the NIC. Preserve firewall and proxy logs showing outbound SOCKS5 negotiation sequences and destination IPs/ports for C2 attribution. Document all active TCP sessions from suspected hosts using `netstat -anob` (Windows) or `ss -tnp` (Linux) before network isolation destroys that live state.
2
Step 2: Detection, Hunt for SystemBC artifacts: search EDR telemetry for svchost anomalies spawning network connections, unexpected SOCKS5 proxy traffic, and PowerShell execution chains (Event ID 4104). Check Windows Event Logs for Group Policy modification events (Event ID 5136) and Windows Defender tampering (Event ID 5001, 5004, 5007). If EDR is deployed, consult vendor-specific behavioral detection rules for Defender tampering (e.g., CrowdStrike's Falcon Intelligence for Defender API abuse patterns). Review SMB lateral movement indicators via Event ID 4624 (logon type 3) combined with new service creation (Event ID 7045) on remote hosts.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST SI-4 (System Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-12 (Audit Record Generation)
NIST IR-5 (Incident Monitoring)
CIS 8.2 (Collect Audit Logs)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Deploy Sysmon with SwiftOnSecurity config (minimum) and add custom rules for: Event ID 3 (NetworkConnect) where ParentImage contains 'svchost.exe' AND DestinationPort is 1080 or matches known SystemBC high-port ranges; Event ID 1 (ProcessCreate) where ParentCommandLine contains 'powershell' spawning unknown binaries. For GPO tampering without SIEM, run this PowerShell on domain controllers hourly via Task Scheduler: `Get-ADObject -Filter {ObjectClass -eq 'groupPolicyContainer'} -Properties whenChanged | Where-Object {$_.whenChanged -gt (Get-Date).AddHours(-1)} | Select-Object Name, whenChanged | Export-Csv C:\GPO_Changes.csv -Append`. Use Sigma rule detection for SystemBC (search GitHub: SigmaHQ rule 'sysmon_susp_svchost_no_cli') converted to Windows Event Log queries with sigmac. Query Security.evtx directly using `wevtutil qe Security /q:"*[System[EventID=5136]]" /f:text` for AD object modification events.
Preserve Evidence
Collect Windows Security Event Log entries for Event ID 5136 (DS Object Modified) filtered on objectClass=groupPolicyContainer to identify unauthorized GPO changes consistent with The Gentlemen's use of GPO to deploy ransomware payloads and disable Defender. Capture Windows Defender operational log at `%SystemRoot%\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx` for Event IDs 5001 (real-time protection disabled), 5004 (monitoring configuration changed), and 5007 (configuration changed) — these directly evidence Defender tampering preceding encryption. Preserve Sysmon Event ID 3 logs showing svchost.exe network connections to external IPs, which fingerprint SystemBC's use of svchost as a masquerade host. For ESXi, collect `/var/log/hostd.log` and `/var/log/shell.log` for unauthorized API calls or shell sessions preceding snapshot deletion activity consistent with T1490.
3
Step 3: Eradication, Remove SystemBC implants identified during detection; re-enable and verify integrity of Windows Defender real-time protection. Audit and revert unauthorized Group Policy Objects. Reset credentials for any valid accounts showing anomalous logon patterns (T1078). Patch internet-facing systems, with priority on ESXi and Hyper-V hosts exposed externally.
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST SI-3 (Malicious Code Protection)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST IA-5 (Authenticator Management)
CIS 7.3 (Perform Automated Operating System Patch Management)
CIS 7.4 (Perform Automated Application Patch Management)
CIS 5.2 (Use Unique Passwords)
Compensating Control
For SystemBC implant removal without EDR, use Autoruns (Sysinternals) to identify persistence mechanisms — SystemBC commonly persists via scheduled tasks or service registration; export baseline with `autorunsc.exe -a * -c > autoruns_baseline.csv` and diff against known-good. Verify Defender integrity with: `sc query WinDefend` and `Set-MpPreference -DisableRealtimeMonitoring $false; Get-MpComputerStatus | Select-Object RealTimeProtectionEnabled,AMServiceEnabled`. For GPO audit and revert, run `Get-GPOReport -All -ReportType XML -Path C:\GPO_Audit.xml` then compare against last known-good backup in `SYSVOL\{domain}\Policies`. Force AD credential resets for all accounts with Event ID 4624 logon type 3 activity during the compromise window using: `Get-ADUser -Filter * | Where-Object {$_.LastLogonDate -gt $compromiseDate} | Set-ADAccountPassword -Reset`. For ESXi patching without vCenter, download VMware ESXi patches directly from my.vmware.com and apply via: `esxcli software vib update -d /vmfs/volumes/datastore/patch.zip`.
Preserve Evidence
Before removing SystemBC implants, capture the full file path, hash (SHA-256), and parent process of each implant artifact — use `Get-FileHash -Algorithm SHA256` on all identified binaries and cross-reference against VirusTotal or MalwareBazaar offline feeds. Preserve the registry hive snapshot (`reg save HKLM\SYSTEM system.hiv`) to document any service keys or Run entries used for SystemBC persistence before deletion. Export the full GPO diff showing unauthorized objects — use `Get-GPOReport` output before and after revert — as this constitutes evidence of T1484.001 (Group Policy Modification). Document all accounts reset with timestamps and source logon events for potential regulatory breach notification records.
4
Step 4: Recovery, After eradication, validate that Defender policies are restored and no unauthorized GPOs remain. Monitor SMB traffic baselines for 14 days post-remediation. Confirm ESXi and Hyper-V snapshot/backup integrity before restoring workloads; ransomware operators targeting these platforms often delete snapshots (T1490) prior to encryption.
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CP-10 (System Recovery and Reconstitution)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
CIS 11.1 (Establish and Maintain a Data Recovery Process)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Validate ESXi snapshot integrity using `vim-cmd vmsvc/snapshot.getall <vmid>` for each VM and cross-check snapshot creation timestamps against the estimated compromise window — snapshots created or deleted during the intrusion period are suspect. Verify Hyper-V checkpoint integrity with `Get-VMSnapshot -VMName * | Select-Object VMName, Name, CreationTime | Export-Csv C:\HyperV_Snapshots.csv`. For SMB baseline monitoring without SIEM, deploy a lightweight osquery scheduled query: `SELECT pid, remote_address, remote_port, local_port FROM process_open_sockets WHERE remote_port=445` running every 5 minutes, logging to a central syslog target. Validate Defender policy restoration using Group Policy Results: `gpresult /H C:\GPResult.html /F` and inspect the security policy section for any remaining unauthorized configurations.
Preserve Evidence
Before restoring any ESXi or Hyper-V workload, preserve the datastore file listing with timestamps (`ls -la /vmfs/volumes/` on ESXi) to document evidence of T1490 snapshot deletion — missing .vmdk delta files or -snapshot descriptor files with anomalous modification times directly evidence pre-encryption staging. Capture the final SMB session table from domain controllers (`net session` and Windows Security Event ID 4624 logon type 3 logs) to establish a clean post-eradication baseline for the 14-day monitoring window. Archive the restored GPO XML exports as the verified clean-state reference for future deviation detection.
5
Step 5: Post-Incident, Conduct a gap assessment against CIS Benchmark controls for Windows Server and VMware ESXi hardening. Implement network segmentation to limit SMB reachability between workstation and server VLANs. Deploy deception assets (honeypots) tuned to SMB lateral movement patterns to improve early detection of future intrusions consistent with this tradecraft.
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST SC-7 (Boundary Protection)
NIST SI-4 (System Monitoring)
NIST RA-3 (Risk Assessment)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 4.2 (Establish and Maintain a Secure Configuration Process for Network Infrastructure)
CIS 13.4 (Perform Traffic Filtering Between Network Segments)
Compensating Control
Run CIS-CAT Lite (free from CIS) against Windows Server and ESXi benchmarks to produce a scored gap report without enterprise tooling. For SMB segmentation on a budget, implement Windows Firewall GPO rules blocking TCP 445 inbound to workstation OUs from server subnets: `New-NetFirewallRule -DisplayName 'Block-SMB-Lateral' -Direction Inbound -Protocol TCP -LocalPort 445 -RemoteAddress <workstation_subnet_CIDR> -Action Block`. Deploy OpenCanary (free, Python-based) as an SMB honeypot: configure `smb.enabled: true` in opencanary.conf and alert on any connection to the deception share — The Gentlemen's lateral movement via SMB service creation (Event ID 7045) will trigger this before reaching production hosts. Update Sigma detection rules in your SIEM or Windows Event Forwarding pipeline to include the specific SystemBC SOCKS5 behavioral pattern documented in the Check Point research for long-term threat hunting.
Preserve Evidence
Compile the complete incident timeline documenting SystemBC C2 dwell time (first beaconing event to detection), all accounts used under T1078, all GPO objects modified under T1484.001, and all hosts with confirmed Defender tampering events — this timeline is required for regulatory breach notification assessment and lessons-learned documentation per NIST 800-61r3 §4. Preserve the Check Point-referenced C2 IOC list (SystemBC C2 IPs/domains) as a permanent threat intelligence artifact in your IOC repository for ongoing detection tuning. Document all gaps identified in the CIS Benchmark assessment as formal risk acceptance or remediation tickets to satisfy NIST RA-3 (Risk Assessment) requirements.
Recovery Guidance
Before restoring any virtualized workloads on ESXi or Hyper-V, verify backup integrity by restoring to an isolated VLAN and validating system hashes against pre-incident baselines — The Gentlemen specifically targets hypervisor snapshot chains for deletion (T1490), meaning backups predating the July 2025 campaign start date are the only reliable restore points. Monitor SMB traffic (TCP 445), new Windows service creation (Event ID 7045), and outbound SOCKS5 connections continuously for a minimum of 14 days post-eradication, as SystemBC implants have been observed re-establishing C2 channels from secondary persistence mechanisms not caught in initial triage. Re-run the CIS Benchmark assessment 30 days post-recovery to validate that hardening changes persisted and no drift toward pre-incident configuration has occurred via unauthorized GPO modification.
Key Forensic Artifacts
SystemBC implant in-memory configuration: Captured via full memory acquisition (WinPmem/Magnet RAM Capture) from suspected hosts — contains plaintext or lightly obfuscated C2 IP:port pairs, RC4 or AES encryption keys, and proxy configuration specific to The Gentlemen's C2 infrastructure; this artifact is destroyed on reboot.
Windows Defender Operational Event Log (Microsoft-Windows-Windows Defender/Operational.evtx): Event IDs 5001, 5004, and 5007 directly evidence Defender real-time protection disablement and configuration tampering that The Gentlemen operators perform prior to deploying ransomware payloads across Windows hosts.
Active Directory DS Replication and GPO modification logs (Windows Security Event ID 5136, objectClass=groupPolicyContainer): Documents unauthorized Group Policy Objects created or modified under T1484.001 to distribute ransomware binaries or disable security controls across domain-joined systems at scale.
ESXi datastore metadata and vmkernel logs (/vmfs/volumes/ directory timestamps, /var/log/hostd.log, /var/log/shell.log): Timestamps of deleted .vmdk snapshot delta files and descriptor files evidence T1490 snapshot deletion by The Gentlemen operators immediately preceding ESXi encryption; hostd.log records the API calls used to enumerate and delete VM snapshots.
Network proxy and firewall logs showing SOCKS5 tunnel establishment: Specifically, TCP sessions to external IPs on port 1080 or operator-configured high ports originating from svchost.exe-masquerading processes — these logs document the SystemBC C2 beaconing channel, lateral movement staging, and the dwell time between initial compromise and ransomware deployment across the 1,570+ victim network pattern confirmed by Check Point research.
Detection Guidance
Primary detection focus: SystemBC C2 beaconing and SOCKS5 proxy traffic.
Query proxy and firewall logs for outbound connections using SOCKS5 protocol to non-inventory external IPs, particularly at irregular intervals suggesting automated beaconing.
In EDR, hunt for svchost.exe or rundll32.exe instances with anomalous parent processes initiating encrypted outbound sessions.
Windows Event ID 5136 (directory service object modified) combined with unexpected GPO changes is a high-fidelity indicator for T1484.001 . Windows Defender tampering: monitor Event IDs 5001, 5004, and 5007 in the Microsoft-Windows-Windows Defender/Operational log. SMB lateral movement: correlate Event ID 4624 (type 3 network logons) from a single source to multiple destinations within short time windows, paired with Event ID 7045 (new service installed) on target hosts. Process injection (T1055 ): look for cross-process memory writes from non-system processes. PowerShell (T1059.001 ): alert on encoded command execution and AMSI bypass patterns. As of the publication date of this intelligence item, no comprehensive public IOC list has been released by Check Point Research; treat all SystemBC-attributed infrastructure as high-confidence adversary-controlled until formally published by the vendor.
Indicators of Compromise (2)
Export as
Splunk SPL
KQL
Elastic
Copy All (2)
1 domain
1 ip
Type Value Enrichment Context Conf.
⌘ DOMAIN
[not publicly confirmed as of configuration date]
VT
US
SystemBC C2 infrastructure attributed to The Gentlemen RaaS — specific IOCs not released in available source material; monitor Check Point Research and threat sharing platforms (ISACs, MISP) for updated indicators
LOW
⦾ IP
[not publicly confirmed as of configuration date]
VT
SH
AB
SystemBC proxy/C2 IP infrastructure — specific values not disclosed in available source material; subscribe to Check Point ThreatCloud or equivalent feeds for confirmed indicators
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
MITRE ATT&CK Hunting Queries (8)
Sentinel rule: Ransomware activity
KQL Query Preview
Read-only — detection query only
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileRenamed"
| where FileName endswith_any (".encrypted", ".locked", ".crypto", ".crypt", ".enc", ".ransom")
| summarize RenamedFiles = count() by DeviceName, InitiatingProcessFileName, bin(Timestamp, 5m)
| where RenamedFiles > 20
| sort by RenamedFiles desc
Sentinel rule: Process injection / hollowing
KQL Query Preview
Read-only — detection query only
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType in ("CreateRemoteThreadApiCall", "QueueUserApcRemoteApiCall", "WriteToLsassProcessMemory", "NtAllocateVirtualMemoryApiCall", "NtMapViewOfSectionRemoteApiCall")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, ActionType
| sort by Timestamp desc
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Lateral movement via RDP / SMB / WinRM
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (3389, 5985, 5986, 445, 135)
| where LocalIP != RemoteIP
| summarize ConnectionCount = count(), TargetDevices = dcount(RemoteIP) by DeviceName, InitiatingProcessFileName
| where ConnectionCount > 10 or TargetDevices > 3
| sort by TargetDevices desc
Sentinel rule: Web application exploit patterns
KQL Query Preview
Read-only — detection query only
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor has_any ("PaloAlto", "Fortinet", "F5", "Citrix")
| where Activity has_any ("attack", "exploit", "injection", "traversal", "overflow")
or RequestURL has_any ("../", "..\\\\", "<script", "UNION SELECT", "\${jndi:")
| project TimeGenerated, DeviceVendor, SourceIP, DestinationIP, RequestURL, Activity, LogSeverity
| sort by TimeGenerated desc
Sentinel rule: Security tool tampering
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any (
"Set-MpPreference", "DisableRealtimeMonitoring",
"net stop", "sc stop", "sc delete", "taskkill /f",
"Add-MpPreference -ExclusionPath"
)
| where ProcessCommandLine has_any ("defender", "sense", "security", "antivirus", "firewall", "crowdstrike", "sentinel")
| project Timestamp, DeviceName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Falcon API IOC Import Payload (1 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "[not publicly confirmed as of configuration date]",
"source": "SCC Threat Intel",
"description": "SystemBC C2 infrastructure attributed to The Gentlemen RaaS \u2014 specific IOCs not released in available source material; monitor Check Point Research and threat sharing platforms (ISACs, MISP) for upd",
"severity": "medium",
"action": "no_action",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-07-22T00:00:00Z"
}
]
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1486
T1583.004
T1041
T1055
T1570
T1071.001
+11
CP-9
CP-10
CA-7
SC-7
SI-4
AC-6
+13
164.312(e)(1)
164.308(a)(7)(ii)(A)
164.308(a)(6)(ii)
MITRE ATT&CK Mapping
T1486
Data Encrypted for Impact
impact
T1041
Exfiltration Over C2 Channel
exfiltration
T1055
Process Injection
defense-evasion
T1570
Lateral Tool Transfer
lateral-movement
T1057
Process Discovery
discovery
T1489
Service Stop
impact
T1484.001
Group Policy Modification
defense-evasion
T1078
Valid Accounts
defense-evasion
T1021.002
SMB/Windows Admin Shares
lateral-movement
T1490
Inhibit System Recovery
impact
T1543
Create or Modify System Process
persistence
T1190
Exploit Public-Facing Application
initial-access
T1562.001
Disable or Modify Tools
defense-evasion
Guidance Disclaimer
