Dark Side Ransomware
Query
//DarkSide ransomware behavior. Defender for Endpoint connected to Sentinel.
DeviceProcessEvents
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine matches regex @".dll,#(?:1|3) worker[0-9]\sjob[0-9]-[0-9]{4,}"Explanation
This query is searching for a specific behavior related to the DarkSide ransomware. It looks for instances of the "rundll32.exe" file and checks if the process command line matches a specific pattern. The pattern includes the terms ".dll" and "#1 worker", "#3 worker", followed by "job" and a four-digit number. The query is used in the context of Defender for Endpoint connected to Sentinel.
Details

Rod Trent
Released: August 12, 2021
Tables
DeviceProcessEvents
Keywords
DeviceProcessEventsFileNameProcessCommandLine
Operators
where=~matches regex