Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SUNSPOT malware hashes

SUNSPOT malware hashes

Back
Id53e936c6-6c30-4d12-8343-b8a0456e8429
RulenameSUNSPOT malware hashes
DescriptionThis query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.

More details:

- https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

- https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807
SeverityMedium
TacticsPersistence
TechniquesT1554
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/SUNSPOTHashes.yaml
Version1.0.2
Arm template53e936c6-6c30-4d12-8343-b8a0456e8429.json
Deploy To Azure
let SUNSPOT_Hashes = dynamic(["c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168", "0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389"]);
union isfuzzy=true(
DeviceEvents
| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),
(DeviceImageLoadEvents
| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))
| extend timestamp=TimeGenerated
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)

id: 53e936c6-6c30-4d12-8343-b8a0456e8429
requiredDataConnectors:
- dataTypes:
  - DeviceImageLoadEvents
  - DeviceEvents
  connectorId: MicrosoftThreatProtection
name: SUNSPOT malware hashes
version: 1.0.2
query: |
  let SUNSPOT_Hashes = dynamic(["c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168", "0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389"]);
  union isfuzzy=true(
  DeviceEvents
  | where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),
  (DeviceImageLoadEvents
  | where InitiatingProcessSHA256 in (SUNSPOT_Hashes))
  | extend timestamp=TimeGenerated
  | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)  
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: HostNameDomain
  entityType: Host
- fieldMappings:
  - identifier: FullName
    columnName: InitiatingProcessAccountUpn
  - identifier: Name
    columnName: InitiatingProcessAccountName
  - identifier: UPNSuffix
    columnName: InitiatingProcessAccountDomain
  entityType: Account
relevantTechniques:
- T1554
tactics:
- Persistence
triggerThreshold: 0
queryPeriod: 1d
queryFrequency: 1d
severity: Medium
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/SUNSPOTHashes.yaml
triggerOperator: gt
status: Available
description: |
  'This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.
  More details: 
    - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ 
    - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807'  
tags:
- Solorigate
- NOBELIUM