Uncommon File Creation By Mysql Daemon Process
Detects the creation of files with scripting or executable extensions by Mysql daemon. Which could be an indicator of "User Defined Functions" abuse to download malware.
Sigma rule (View on GitHub)
1title: Uncommon File Creation By Mysql Daemon Process
2id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf
3status: experimental
4description: |
5 Detects the creation of files with scripting or executable extensions by Mysql daemon.
6 Which could be an indicator of "User Defined Functions" abuse to download malware.
7references:
8 - https://asec.ahnlab.com/en/58878/
9 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/
10author: Joseph Kamau
11date: 2024-05-27
12tags:
13 - attack.defense-evasion
14logsource:
15 product: windows
16 category: file_event
17detection:
18 selection:
19 Image|endswith:
20 - \mysqld.exe
21 - \mysqld-nt.exe
22 TargetFilename|endswith:
23 - '.bat'
24 - '.dat'
25 - '.dll'
26 - '.exe'
27 - '.ps1'
28 - '.psm1'
29 - '.vbe'
30 - '.vbs'
31 condition: selection
32falsepositives:
33 - Unknown
34level: high
References
-
The AhnLab Security Emergency response Center’s (ASEC) analysis team is constantly monitoring malware distributed to vulnerable database servers. MySQL server is one of the main database servers that provides the feature of managing large amounts of data in a corporate or user environment. Typically, in Windows environments, MS-SQL is primarily installed for database services, while […]
Read More -
One such intriguing method that recently surfaced is MySQL servers, leveraging SQL commands to stealthily infiltrate, deploy, and activate malicious payloads.
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity