T1059.001 – Command and Scripting Interpreter: PowerShell Suspicious PowerShell process observed on the endpoint, likely responsible for generating outbound request.
T1071.001 – Application Layer Protocol: Web Protocols Attempted HTTP communication to external domain casinos-hub.com.
T1105 – Ingress Tool Transfer Potential staging or payload retrieval behavior inferred from outbound connections (including GitHub IP).
T1204.002 – User Execution: Malicious File Possible user or script-triggered execution leading to outbound request (not fully confirmed but plausible initial vector).
The alert SOC111 Traffic to Malware Domain triggered after host BellaPRD attempted to connect to a known malicious domain http://casinos-hub.com/s/ZQhDyLF/. The connection was blocked by security controls. Endpoint review identified a PowerShell process running, suggesting potential scripted activity responsible for the outbound request.
Jan 30 2021 05:25 PM
Host BellaPRD (172.16.17.19), user Bella, attempted connection to casinos-hub.com (45.80.181.51). Additional endpoint network activity shows communication with 140.82.121.4 (GitHub infrastructure), which may indicate staging or payload hosting.
The alert was triggered due to an attempted connection to a known malicious domain. Although the connection was blocked and no additional proxy logs were observed, the presence of an active PowerShell process on the endpoint raises suspicion of scripted or malware-driven activity. Due to limited logging visibility and potential signs of compromise, the host was contained and escalated for further investigation.