A few days back Red Canary dropped a blog post titled A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak that highlighted 10 detection opportunities for stopping the most recent Bazar/Ryuk ransomware infections. Below are the 10 SentinelOne Deep Visibility queries I've come up with for detecting the techniques.
T1055.012 Hollowing of cmd.exe
SrcProcParentName = "cmd.exe" AND SrcProcName In Anycase ("svchost.exe","explorer.exe","nltest.exe","net.exe") AND DstPort In ("443","53")
T1482 Domain Trust Discovery
TgtProcName = "nltest.exe" AND (TgtProcCmdLine ContainsCIS "domain_trusts" OR TgtProcCmdLine ContainsCIS "all_trusts" OR TgtProcCmdLine ContainsCIS "dclist")
T1087 Domain Administrator Enumeration
TgtProcName In AnyCase ("net.exe","net1.exe") AND (TgtProcCmdLine ContainsCIS "domain admins" OR TgtProcCmdLine ContainsCIS "enterprise admins") AND SrcProcParentName Not In ("gpscript.exe")
T1055.012 Hollowing of Explorer or Svchost
(SrcProcParentName In AnyCase ("explorer.exe") AND SrcProcName In AnyCase ("svchost.exe")) OR ( SrcProcParentName Not In ("services.exe") AND SrcProcName In AnyCase ("svchost.exe") AND SrcProcCmdLine IS EMPTY )
T1021 Lateral Movement WMI/PS/CS
SrcProcParentName In AnyCase ("WmiPrvse.exe") AND SrcProcName In AnyCase ("cmd.exe") AND TgtProcName In AnyCase ("powershell.exe") AND SrcProcUser Not In ("DOMAIN\svcServiceNowScan","DOMAIN\svcTenableScan") AND TgtProcCmdLine Does Not ContainCIS "C:\Windows\ccmcache"
T1021 Lateral Movement CS SMB
(SrcProcName In AnyCase ("rundll32.exe") AND SrcProcCmdLine IS EMPTY) OR (SrcProcName In AnyCase ("rundll32.exe") AND NetConnOutCount > "0" AND SrcProcParentName Not In ("splwow64.exe"))
See item 3.
T1003.001 LSASS Memory Dump
TgtProcImageSha1 = "f0c52cea19c204f5cdbe952cc7cfc182e20d8d43" OR TgtProcCmdline ContainsCIS "-ma lsass.exe" OR TgtProcCmdline ContainsCIS "comsvcs.dll, MiniDump" OR TgtFilePath = "C:\Windows\Temp\dumpert.dmp" OR TgtFilePath RegExp "^.*lsass.*.DMP" OR ( SrcProcCmdline ContainsCIS "sekurlsa::minidump" OR SrcProcCmdline ContainsCIS "sekurlsa::logonpasswords" ) OR SrcProcCmdline ContainsCIS "live lsa"
T1484 Bloodhound Enumeration
(TgtProcName = "regsvr32.exe" AND TgtProcCmdLine IS EMPTY AND NetConnOutCount > "0") OR (NetConnOutCount > "1000" AND DstPort = "445")
T1069.002 Domain Groups Discovery
TgtProcDisplayName ContainsCIS "AdFind" OR TgtProcCmdLine ContainsCIS "trustdmp" OR TgtProcCmdLine ContainsCIS "-f \"(objectcategory="