Query Details
Dark Side Ransomware
Query
//DarkSide ransomware behavior. Defender for Endpoint connected to Sentinel.
DeviceProcessEvents
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine matches regex @".dll,#(?:1|3) worker[0-9]\sjob[0-9]-[0-9]{4,}"
Explanation
This query is searching for a specific behavior related to the DarkSide ransomware. It looks for instances of the "rundll32.exe" file and checks if the process command line matches a specific pattern. The pattern includes the terms ".dll" and "#1 worker", "#3 worker", followed by "job" and a four-digit number. The query is used in the context of Defender for Endpoint connected to Sentinel.
Details
Rod Trent
Released: August 12, 2021
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,FileName,ProcessCommandLine
Operators
where=~matches regex