The DarkSide ransomware is likely encrypting files across the environment, which could indicate an ongoing ransomware attack. SOC teams should proactively hunt for this behavior to identify and mitigate potential data exfiltration and operational disruption before it escalates.
KQL Query
DeviceProcessEvents
| where FileName =~ "rundll32.exe" | where ProcessCommandLine matches regex @".dll,#(?:1|3) worker[0-9]\sjob[0-9]-[0-9]{4,}"
id: 046d30fc-02b5-4b5f-a244-9c0da92baa5e
name: DarkSide
description: |
Use this query to look for running DarkSide ransomware behavior in the environment
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Ransomware
query: |
DeviceProcessEvents
| where FileName =~ "rundll32.exe" | where ProcessCommandLine matches regex @".dll,#(?:1|3) worker[0-9]\sjob[0-9]-[0-9]{4,}"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task is configured to run a script that performs system maintenance, which may include file operations similar to ransomware.
Filter/Exclusion: Exclude tasks associated with known system maintenance tools like Task Scheduler or Windows Update by checking the task name or command line arguments.
Scenario: Backup Job Using Veeam or Acronis
Description: A backup job initiated by Veeam or Acronis may temporarily lock or encrypt files during the backup process, triggering the rule.
Filter/Exclusion: Exclude processes related to Veeam or Acronis by checking the process name or using the process.parent field to identify backup-related parent processes.
Scenario: Admin Performing File Encryption for Compliance
Description: An administrator may encrypt files as part of a compliance or data classification task using tools like BitLocker or Veracrypt.
Filter/Exclusion: Exclude processes associated with BitLocker or Veracrypt by checking the process name or using the process.parent field to identify administrative tasks.
Scenario: PowerShell Script for File Archiving
Description: A PowerShell script used for archiving or compressing files may perform operations that resemble ransomware behavior, such as renaming or encrypting files.
Filter/Exclusion: Exclude PowerShell scripts that are known to be used for archiving by checking the script path or using the script_name field to identify legitimate archiving scripts.
Scenario: Antivirus or Endpoint Protection Scan
Description: Some endpoint protection tools may temporarily encrypt or lock files during a deep scan or quarantine process, which can trigger the rule.
Filter/Exclusion: Exclude processes associated with antivirus vendors like Microsoft Defender, Kaspersky, or Bitdefender by checking the process name or using the `process