Detection rules › Kusto Query Language
SUNSPOT malware hashes
'This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike. More details: - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ - https://techcommunity.microsoft.com/blog/microsoftsentinelblog/monitoring-the-software-supply-chain-with-azure-sentinel/2176463/'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1554 Compromise Host Software Binary |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Defender-DeviceEvents | 9007000 | Defender event (any) |
Stages and Predicates
Stage 1: source
<union>
Stage 2: union
union of 2 branches