SUNSPOT malware hashes
| Id | 53e936c6-6c30-4d12-8343-b8a0456e8429 |
| Rulename | SUNSPOT malware hashes |
| Description | This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike. More details: - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807 |
| Severity | Medium |
| Tactics | Persistence |
| Techniques | T1554 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365 Defender/Analytic Rules/SUNSPOTHashes.yaml |
| Version | 1.0.1 |
| Arm template | 53e936c6-6c30-4d12-8343-b8a0456e8429.json |
let SUNSPOT_Hashes = dynamic(["c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168", "0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389"]);
union isfuzzy=true(
DeviceEvents
| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),
(DeviceImageLoadEvents
| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))
| extend timestamp=TimeGenerated
| extend HostName = tostring(split(DeviceName, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'))
triggerOperator: gt
version: 1.0.1
query: |
let SUNSPOT_Hashes = dynamic(["c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168", "0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389"]);
union isfuzzy=true(
DeviceEvents
| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),
(DeviceImageLoadEvents
| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))
| extend timestamp=TimeGenerated
| extend HostName = tostring(split(DeviceName, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'))
status: Available
entityMappings:
- entityType: Host
fieldMappings:
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365 Defender/Analytic Rules/SUNSPOTHashes.yaml
queryFrequency: 1d
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceImageLoadEvents
- DeviceEvents
tags:
- Solorigate
- NOBELIUM
name: SUNSPOT malware hashes
queryPeriod: 1d
severity: Medium
kind: Scheduled
tactics:
- Persistence
id: 53e936c6-6c30-4d12-8343-b8a0456e8429
description: |
'This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.
More details:
- https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
- https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807'
relevantTechniques:
- T1554
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/53e936c6-6c30-4d12-8343-b8a0456e8429')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/53e936c6-6c30-4d12-8343-b8a0456e8429')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "SUNSPOT malware hashes",
"description": "'This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\nMore details: \n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807'\n",
"severity": "Medium",
"enabled": true,
"query": "let SUNSPOT_Hashes = dynamic([\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\", \"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\"]);\nunion isfuzzy=true(\nDeviceEvents\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\n(DeviceImageLoadEvents\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\n| extend timestamp=TimeGenerated\n| extend HostName = tostring(split(DeviceName, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'))\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1554"
],
"alertRuleTemplateName": "53e936c6-6c30-4d12-8343-b8a0456e8429",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
],
"entityType": "Host"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365 Defender/Analytic Rules/SUNSPOTHashes.yaml",
"status": "Available",
"templateVersion": "1.0.1",
"tags": [
"Solorigate",
"NOBELIUM"
]
}
}
]
}