From 48757423efd2f5654c75a3c7f0094656d63c94bf Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 14 May 2021 18:06:53 +0200
Subject: [PATCH] rule darkside patterns

---
 rules/windows/malware/win_mal_darkside.yml | 28 ++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 rules/windows/malware/win_mal_darkside.yml

diff --git a/rules/windows/malware/win_mal_darkside.yml b/rules/windows/malware/win_mal_darkside.yml
new file mode 100644
index 000000000..bd71ca991
--- /dev/null
+++ b/rules/windows/malware/win_mal_darkside.yml
@@ -0,0 +1,28 @@
+title: DarkSide Ransomware Pattern
+id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c
+author: Florian Roth
+date: 2021/05/14
+description: Detects DarkSide Ransomware and helpers
+status: experimental
+references:
+    - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
+    - https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/
+    - https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine|contains: 
+            - "=[char][byte]('0x'+"
+            - ' -work worker0 -path '
+    selection2:
+        ParentCommandLine|contains:
+            - 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
+        Image|contians:
+            - '\AppData\Local\Temp\'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+    - UAC bypass method used by other malware
+level: critical