Star Blizzard C2 Domains August 2022

Hunt Hypothesis

The hypothesis is that the detection identifies domains used by the Star Blizzard actor to establish command and control, leveraging T1566 techniques to exfiltrate data and maintain persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats early in the attack lifecycle.

KQL Query

let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SEABORGIUMIOC.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainNames = (iocs | where Type =~ "domainname"| project IoC);
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| where DNSName in~ (DomainNames)
| extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP
),
(_Im_Dns (domain_has_any=DomainNames)
| extend DNSName = DnsQuery
| extend IPAddress =  SrcIpAddr, Computer = Dvc
),
(_Im_WebSession (url_has_any=DomainNames)
| extend DNSName = tostring(parse_url(Url)["Host"])
| extend IPAddress =  SrcIpAddr, Computer = Dvc
),
(VMConnection
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where DNSName  in~ (DomainNames)
| extend IPAddress = RemoteIp
),
(DeviceNetworkEvents
| where RemoteUrl  has_any (DomainNames)
| extend IPAddress = RemoteIP
| extend Computer = DeviceName
),
(EmailUrlInfo
| where Url has_any (DomainNames)
| join (EmailEvents
| where EmailDirection == "Inbound" ) on NetworkMessageId
| extend IPAddress = SenderIPv4
| extend Account = RecipientEmailAddress
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)
| extend DNSName = DestinationHost
| extend IPAddress = SourceHost
)
)
| extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1])
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1])
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)

Analytic Rule Definition

id: 2149d9bb-8298-444c-8f99-f7bf0274dd05
name: Star Blizzard C2 Domains August 2022
description: |
  'Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as Star Blizzard.'
severity: High
requiredDataConnectors:
  - connectorId: AzureMonitor(VMInsights)
    dataTypes:
      - VMConnection
  - connectorId: CiscoASA
    dataTypes:
      - CommonSecurityLog
  - connectorId: PaloAltoNetworks
    dataTypes:
      - CommonSecurityLog
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - DeviceNetworkEvents
      - EmailUrlInfo
      - EmailEvents
  - connectorId: AzureFirewall
    dataTypes:
      - AzureDiagnostics
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
tags:
  - Star Blizzard
  - Schema: ASIMDns
    SchemaVersion: 0.1.1
query: |
  let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SEABORGIUMIOC.csv"] with (format="csv", ignoreFirstRecord=True);
  let DomainNames = (iocs | where Type =~ "domainname"| project IoC);
  (union isfuzzy=true
  (CommonSecurityLog
  | parse Message with * '(' DNSName ')' *
  | where DNSName in~ (DomainNames)
  | extend Account = SourceUserID, Computer = DeviceName, IPAddress =  DestinationIP
  ),
  (_Im_Dns (domain_has_any=DomainNames)
  | extend DNSName = DnsQuery
  | extend IPAddress =  SrcIpAddr, Computer = Dvc
  ),
  (_Im_WebSession (url_has_any=DomainNames)
  | extend DNSName = tostring(parse_url(Url)["Host"])
  | extend IPAddress =  SrcIpAddr, Computer = Dvc
  ),
  (VMConnection
  | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
  | where DNSName  in~ (DomainNames)
  | extend IPAddress = RemoteIp
  ),
  (DeviceNetworkEvents
  | where RemoteUrl  has_any (DomainNames)
  | extend IPAddress = RemoteIP
  | extend Computer = DeviceName
  ),
  (EmailUrlInfo
  | where Url has_any (DomainNames)
  | join (EmailEvents
  | where EmailDirection == "Inbound" ) on NetworkMessageId
  | extend IPAddress = SenderIPv4
  | extend Account = RecipientEmailAddress
  ),
  (AzureDiagnostics
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallApplicationRule"
  | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
  | where isnotempty(DestinationHost)
  | where DestinationHost has_any (DomainNames)
  | extend DNSName = DestinationHost
  | extend IPAddress = SourceHost
  )
  )
  | extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1])
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1]

Required Data Sources

Sentinel Table	Notes
`AzureDiagnostics`	Ensure this data connector is enabled
`CommonSecurityLog`	Ensure this data connector is enabled
`DeviceNetworkEvents`	Ensure this data connector is enabled
`EmailEvents`	Ensure this data connector is enabled
`EmailUrlInfo`	Ensure this data connector is enabled
`VMConnection`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

Source Query

False Positive Guidance

Scenario: Legitimate scheduled job using schtasks.exe to run a system maintenance script
Filter/Exclusion: Exclude domains that match the pattern *.internal.corp or domains associated with internal tools like schtasks.exe or Task Scheduler.
Scenario: Internal DNS resolution for a domain used by Microsoft Endpoint Manager (Intune) during device enrollment
Filter/Exclusion: Exclude domains that are part of the Microsoft Azure AD domain or match the pattern *.microsoft.com or *.azure.com.
Scenario: Use of a legitimate third-party C2 domain by a security tool like CrowdStrike Falcon for threat intelligence updates
Filter/Exclusion: Exclude domains that are known to be used by security tools such as *.crowdstrike.com or *.falcon.io.
Scenario: Internal development team using a test domain for a staging environment during application deployment
Filter/Exclusion: Exclude domains that contain the substring staging or dev and are registered under internal DNS (e.g., *.dev.corp).
Scenario: Use of a legitimate domain by a SIEM tool like Splunk for log collection and correlation
Filter/Exclusion: Exclude domains that are part of the Splunk infrastructure or match the pattern *.splunk.com or *.splunkcloud.com.