Cisco Talos analyzed over 3 million PowerShell network connection logs from June to December 2024, discovering that rare domains contacted by PowerShell were more likely to be malicious than frequently contacted domains. The study also highlighted the importance of analyzing subdomains, as demonstrated by malicious activity found in the ‘raw.githubusercontent.com’ subdomain. #PowerShell #githubusercontentcom #InvokeMimikatz
Keypoints
- PowerShell rarely contacted domains are 3.18 times more likely to be malicious than frequently contacted domains, though statistical significance was limited by sample size.
- A total of 742 unique base domains were observed, with 74.1% (550) classified as rare based on ≤5 average contacts per full domain.
- The non-rare domain ‘githubusercontent.com’ was flagged as malicious due to suspicious activity on its subdomain ‘raw.githubusercontent.com’, involving PowerShell commands like PowerSploit and Invoke-Mimikatz.
- Other command line processes such as ‘rundll32.exe’, Python, ‘cmd.exe’, and ‘cscript.exe’ showed much lower malicious domain contact rates; however, ‘wscript.exe’ exhibited a notably higher proportion of malicious rare domains.
- Manual review combined with automated threat intelligence effectively reduced false positives and identified nuanced malicious activity, especially in high-traffic domains.
- Recommendations include prioritizing investigation of rare domains, conducting subdomain-level analysis, and focusing on anomalous use of ‘wscript.exe’ in security monitoring.
- Future research directions encompass temporal domain contact analysis, behavioral assessment of process arguments, and developing a comprehensive risk scoring system for domain prioritization.
MITRE Techniques
- [T1086] PowerShell – Used to execute malicious commands such as downloading PowerSploit and running Invoke-Mimikatz from suspicious domains (‘…downloading PowerSploit or executing Invoke-Mimikatz…’).
- [T1041] Exfiltration Over Command and Control Channel – Detected through network connection logs of PowerShell to rare and malicious domains indicating data transfers to adversary-controlled hosts.
- [T1566] Phishing or Malicious Script Delivery – Inferred from execution of scripts hosted on subdomains like ‘raw.githubusercontent.com’ facilitating payload delivery.
Indicators of Compromise
- [Domain] Suspicious PowerShell network destinations – ‘raw.githubusercontent.com’, ‘githubusercontent.com’
- [Process] PowerShell executables used in telemetry – ‘powershell.exe’, ‘pwsh.exe’
- [Subdomain] Malicious activity identified on ‘raw.githubusercontent.com’ within the ‘githubusercontent.com’ domain
Read more: https://blog.talosintelligence.com/scarcity-signals-are-rare-activities-red-flags/