Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SUNSPOT malware hashes

SUNSPOT malware hashes

Back
Id53e936c6-6c30-4d12-8343-b8a0456e8429
RulenameSUNSPOT malware hashes
DescriptionThis query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.

More details:

- https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

- https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807
SeverityMedium
TacticsPersistence
TechniquesT1554
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365 Defender/Analytic Rules/SUNSPOTHashes.yaml
Version1.0.0
Arm template53e936c6-6c30-4d12-8343-b8a0456e8429.json
Deploy To Azure
let SUNSPOT_Hashes = dynamic(["c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168", "0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389"]);
union isfuzzy=true(
DeviceEvents
| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),
(DeviceImageLoadEvents
| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))
| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated

version: 1.0.0
status: Available
queryFrequency: 1d
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceImageLoadEvents
  - DeviceEvents
entityMappings:
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
  entityType: Host
kind: Scheduled
queryPeriod: 1d
severity: Medium
query: |
  let SUNSPOT_Hashes = dynamic(["c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168", "0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389"]);
  union isfuzzy=true(
  DeviceEvents
  | where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),
  (DeviceImageLoadEvents
  | where InitiatingProcessSHA256 in (SUNSPOT_Hashes))
  | extend HostCustomEntity = DeviceName, timestamp=TimeGenerated  
tags:
- Solorigate
- NOBELIUM
triggerOperator: gt
id: 53e936c6-6c30-4d12-8343-b8a0456e8429
description: |
  'This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.
  More details: 
    - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ 
    - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807'  
triggerThreshold: 0
name: SUNSPOT malware hashes
relevantTechniques:
- T1554
tactics:
- Persistence
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365 Defender/Analytic Rules/SUNSPOTHashes.yaml

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/53e936c6-6c30-4d12-8343-b8a0456e8429')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/53e936c6-6c30-4d12-8343-b8a0456e8429')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "SUNSPOT malware hashes",
        "description": "'This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\nMore details: \n  - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \n  - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let SUNSPOT_Hashes = dynamic([\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\", \"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\"]);\nunion isfuzzy=true(\nDeviceEvents\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\n(DeviceImageLoadEvents\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1554"
        ],
        "alertRuleTemplateName": "53e936c6-6c30-4d12-8343-b8a0456e8429",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ]
          }
        ],
        "tags": [
          "Solorigate",
          "NOBELIUM"
        ],
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365 Defender/Analytic Rules/SUNSPOTHashes.yaml",
        "templateVersion": "1.0.0"
      }
    }
  ]
}