DarkSide Ransomware Pattern
Detects DarkSide Ransomware and helpers
Sigma rule (View on GitHub)
1title: DarkSide Ransomware Pattern
2id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c
3status: test
4description: Detects DarkSide Ransomware and helpers
5references:
6 - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
7 - https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/
8 - https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2
9author: Florian Roth (Nextron Systems)
10date: 2021-05-14
11tags:
12 - attack.execution
13 - attack.t1204
14 - detection.emerging-threats
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection1:
20 CommandLine|contains:
21 - '=[char][byte](''0x''+'
22 - ' -work worker0 -path '
23 selection2:
24 ParentCommandLine|contains: 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
25 Image|contains: '\AppData\Local\Temp\'
26 condition: 1 of selection*
27falsepositives:
28 - Unknown
29 - UAC bypass method used by other malware
30level: critical
References
-
The creators of DARKSIDE ransomware have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals.
Read More -
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More -
Related rules
- Potential Snatch Ransomware Activity
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- Blue Mockingbird