Adversaries are leveraging domain IOCs associated with Star Blizzard to establish command and control channels within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential advanced persistent threat activity early.
KQL Query
let IOCs_Domains = pack_array("cache-dns.com","cache-dns-forwarding.com","cache-dns-preview.com","cache-docs.com","cache-pdf.com","cache-pdf.online","cache-services.live",
"cloud-docs.com","cloud-drive.live","cloud-storage.live","docs-cache.com","docs-forwarding.online","docs-info.com","docs-shared.com",
"docs-shared.online","docs-view.online","document-forwarding.com","document-online.live","document-preview.com","documents-cloud.com",
"documents-cloud.online","documents-forwarding.com","document-share.live","documents-online.live","documents-pdf.online","documents-preview.com",
"documents-view.live","document-view.live","drive-docs.com","drive-share.live","goo-link.online","hypertextteches.com","mail-docs.online",
"officeonline365.live","online365-office.com","online-document.live","online-storage.live","pdf-cache.com","pdf-cache.online","pdf-docs.online",
"pdf-forwarding.online","protection-checklinks.xyz","protection-link.online","protectionmail.online","protection-office.live","protect-link.online",
"proton-docs.com","proton-reader.com","proton-viewer.com","relogin-dashboard.online","safe-connection.online","safelinks-protect.live","secureoffice.live",
"webresources.live","word-yand.live","yandx-online.cloud","y-ml.co","docs-drive.online","docs-info.online","cloud-mail.online","onlinecloud365.live",
"pdf-cloud.online","pdf-shared.online","proton-pdf.online","proton-view.online","cloud-mail.online","office365-online.live","doc-viewer.com",
"file-milgov.systems","office-protection.online");
DeviceNetworkEvents
| where RemoteUrl has_any(IOCs_Domains)id: 4b14590a-a1f0-4756-9f3d-baafa696e051
name: Star Blizzard-Domain IOCs
description: |
'This query identifies matches based on domain IOCs related to Star Blizzard against Microsoft Defender for Endpoint device network connections'
severity: High
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let IOCs_Domains = pack_array("cache-dns.com","cache-dns-forwarding.com","cache-dns-preview.com","cache-docs.com","cache-pdf.com","cache-pdf.online","cache-services.live",
"cloud-docs.com","cloud-drive.live","cloud-storage.live","docs-cache.com","docs-forwarding.online","docs-info.com","docs-shared.com",
"docs-shared.online","docs-view.online","document-forwarding.com","document-online.live","document-preview.com","documents-cloud.com",
"documents-cloud.online","documents-forwarding.com","document-share.live","documents-online.live","documents-pdf.online","documents-preview.com",
"documents-view.live","document-view.live","drive-docs.com","drive-share.live","goo-link.online","hypertextteches.com","mail-docs.online",
"officeonline365.live","online365-office.com","online-document.live","online-storage.live","pdf-cache.com","pdf-cache.online","pdf-docs.online",
"pdf-forwarding.online","protection-checklinks.xyz","protection-link.online","protectionmail.online","protection-office.live","protect-link.online",
"proton-docs.com","proton-reader.com","proton-viewer.com","relogin-dashboard.online","safe-connection.online","safelinks-protect.live","secureoffice.live",
"webresources.live","word-yand.live","yandx-online.cloud","y-ml.co","docs-drive.online","docs-info.online","cloud-mail.online","onlinecloud365.live",
"pdf-cloud.online","pdf-shared.online","proton-pdf.online","proton-view.online","cloud-mail.online","office365-online.live","doc-viewer.com",
"file-milgov.systems","office-protection.online");
DeviceNetworkEvents
| where RemoteUrl has_any(IOCs_Domains)| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a system maintenance script that connects to a domain associated with Star Blizzard.
Filter/Exclusion: Exclude connections originating from system maintenance tasks (e.g., Task Scheduler or schtasks.exe) or domains known to be used by Microsoft or enterprise IT tools (e.g., microsoft.com, azure.com).
Scenario: Admin Access via Remote Desktop (RDP)
Description: An administrator connects to a remote server using RDP, and the connection is flagged due to a domain in the network traffic.
Filter/Exclusion: Exclude connections initiated from known admin workstations or RDP clients (e.g., mstsc.exe) and filter by source IP ranges reserved for internal network traffic.
Scenario: Software Update via Microsoft Endpoint Manager (MEM)
Description: A device connects to a Microsoft Endpoint Manager (MEM) server to download a software update, and the domain is mistakenly flagged.
Filter/Exclusion: Exclude connections to domains associated with Microsoft Endpoint Manager (e.g., intune.microsoft.com, devicemanagement.microsoft.com).
Scenario: Log Collection via Splunk or ELK Stack
Description: A log collection agent (e.g., Splunk or ELK) connects to a central log server, and the domain is flagged as a Star Blizzard IOC.
Filter/Exclusion: Exclude connections from log collection agents (e.g., splunkforwarder, logstash) or to known log management domains (e.g., splunk.com, elkstack.org).
Scenario: Internal DevOps Pipeline with GitHub Actions
Description: A CI/CD pipeline (e.g., GitHub Actions) connects to a domain during a build process, and the domain is incorrectly flagged.