DarkSide Ransomware – Detection Mapping

CyberDefender 5 mins0

DarkSide Ransomware – Detection Mapping

(Splunk | Sentinel | Elastic)

1. Initial Access – VPN Abuse (Valid Accounts)

Behavior

  • Successful VPN login
  • Legacy account
  • No MFA
  • Unusual geography / time

Splunk (VPN Logs)

index=vpn_logs action=success
| stats count by user, src_ip, country
| where count < 3 AND country!="US"

Enhancement

  • Join against HR / IAM to flag inactive users

Sentinel (KQL – Azure AD / VPN)

SigninLogs
| where ResultType == 0
| where AuthenticationRequirement != "multiFactorAuthentication"
| summarize count() by UserPrincipalName, IPAddress, Location
| where count_ < 3

Elastic (EQL)

authentication where
event.outcome == "success" and
not authentication.mfa_used and
source.geo.country_name != "United States"

2. Credential Access – LSASS / Dumping

Behavior

  • LSASS handle access
  • SAM/SECURITY registry export
  • Mimikatz-like access patterns

Splunk (Sysmon Event ID 10)

index=sysmon EventCode=10
TargetImage="*lsass.exe"
| where GrantedAccess!="0x1010"

Sentinel (Defender for Endpoint)

DeviceProcessEvents
| where ProcessCommandLine has_any ("lsass", "sam.save", "security.save")
| where InitiatingProcessFileName !in ("MsMpEng.exe")

Elastic (EQL)

process where
process.target.name == "lsass.exe" and
process.access_mask != "0x1010"

3. Discovery – Domain Recon

Behavior

  • nltest
  • net group
  • net view /domain

Splunk

index=windows EventCode=4688
CommandLine IN ("*nltest*", "*net view*", "*net group*")

Sentinel (KQL)

DeviceProcessEvents
| where ProcessCommandLine has_any ("nltest", "net view", "net group")

Elastic

process where
process.name in ("nltest.exe", "net.exe") and
process.command_line : ("*domain*")

4. Lateral Movement – PsExec / SMB

Behavior

  • Service creation
  • Remote execution
  • ADMIN$ usage

Splunk (Service Creation)

index=windows EventCode=7045
| where ServiceName like "%PSEXEC%"

Sentinel

DeviceEvents
| where ActionType == "ServiceInstalled"
| where AdditionalFields contains "PSEXESVC"

Elastic

process where
process.name == "psexec.exe"

5. Pre-Encryption – Shadow Copy Deletion

Behavior

  • vssadmin delete
  • wmic shadowcopy
  • bcdedit recoveryenabled no

Splunk (High-Fidelity)

index=windows EventCode=4688
CommandLine="*vssadmin delete shadows*"

Sentinel (Very High Confidence)

DeviceProcessEvents
| where ProcessCommandLine has_any (
"vssadmin delete shadows",
"wmic shadowcopy delete",
"bcdedit /set {default} recoveryenabled no"
)

Elastic

process where
process.command_line : (
"*vssadmin delete shadows*",
"*wmic shadowcopy delete*"
)

6. Ransomware Encryption Behavior

Behavior

  • Mass file modifications
  • Extension change .darkside
  • High-rate file writes

Splunk (File Creation)

index=windows EventCode=4663
ObjectName="*.darkside"

Sentinel (File Events)

DeviceFileEvents
| where FileName endswith ".darkside"

Elastic (EQL)

file where
file.extension == "darkside"

7. Ransom Note Deployment

Behavior

  • README.darkside.txt written in many directories

Splunk

index=windows EventCode=4663
ObjectName="*README.darkside.txt"

Sentinel

DeviceFileEvents
| where FileName == "README.darkside.txt"

Elastic

file where
file.name == "README.darkside.txt"

8. Network – Tor / C2 Indicators

Behavior

  • Tor traffic
  • .onion resolution
  • Rare HTTPS destinations

Splunk (Proxy)

index=proxy url="*.onion*"

Sentinel (Defender Network)

DeviceNetworkEvents

| where RemoteUrl endswith ".onion"

Elastic

network where
network.protocol == "http" and
destination.domain : "*.onion"

9. Ransomware Kill-Chain Correlation (High Confidence)

Sentinel Fusion Logic (Example)

let ShadowDelete =
DeviceProcessEvents
| where ProcessCommandLine has "vssadmin delete";
let FileEncrypt =
DeviceFileEvents
|where FileName endswith “.darkside”; ShadowDelete
| join FileEncrypt on DeviceId

This is a near-certain ransomware signal.

10. Recommended Alert Severity

Detection Severity
LSASS access High
Shadow copy deletion Critical
Ransom note creation Critical
Mass file extension change Critical
VPN login without MFA Medium → High

11. IR Playbook Trigger

If ANY TWO occur within 15 minutes:

  • Shadow copy deletion
  • LSASS access
  • Ransom note creation

➡️ Immediately isolate host

12. Why Behavior > IOCs for DarkSide

  • Per-victim builds
  • Rapid hash rotation
  • Infrastructure churn
  • Affiliate variability

DarkSide is best detected by intent, not signatures.

CyberDefender