The martian signature is very good and provides extra detail which I have been able to use to allow other engineers who may not understand these processes to identify potential payload patterns easier without looking at the HTTP results if a child process is created.
By specifying other programs could also be potentially extended to other programs such as Adobe, Java etc to detect exploits dropping payloads. Another signature that could potentially be considered is document files (office, PDF etc) generating non-whitelisted network activity which could also be a sign of a dropper or post exploit payload fetching. With an appropriate domain whitelist for updates and other legit traffic it could be further used to improve detection of malicious document behaviours.
This signature against a Dridex doc today works very well though as you can see in teh attached picture:
Hi,
The martian signature is very good and provides extra detail which I have been able to use to allow other engineers who may not understand these processes to identify potential payload patterns easier without looking at the HTTP results if a child process is created.
By specifying other programs could also be potentially extended to other programs such as Adobe, Java etc to detect exploits dropping payloads. Another signature that could potentially be considered is document files (office, PDF etc) generating non-whitelisted network activity which could also be a sign of a dropper or post exploit payload fetching. With an appropriate domain whitelist for updates and other legit traffic it could be further used to improve detection of malicious document behaviours.
This signature against a Dridex doc today works very well though as you can see in teh attached picture: