A few days back Red Canary dropped a blog post titled A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak that highlighted 10 detection opportunities for stopping the most recent Bazar/Ryuk ransomware infections. Below are the 10 SentinelOne Deep Visibility queries I've come up with for detecting the techniques.
T1055.012 Hollowing of cmd.exe
SrcProcParentName = "cmd.exe" AND SrcProcName In Anycase ("svchost.exe","explorer.exe","nltest.exe","net.exe") AND DstPort In ("443","53")
T1482 Domain Trust Discovery