Uncommon File Creation By Mysql Daemon Process

Detects the creation of files with scripting or executable extensions by Mysql daemon. Which could be an indicator of "User Defined Functions" abuse to download malware.

Sigma rule (View on GitHub)

 1title: Uncommon File Creation By Mysql Daemon Process
 2id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf
 3status: experimental
 4description: |
 5    Detects the creation of files with scripting or executable extensions by Mysql daemon.
 6    Which could be an indicator of "User Defined Functions" abuse to download malware.    
 7references:
 8    - https://asec.ahnlab.com/en/58878/
 9    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/
10author: Joseph Kamau
11date: 2024-05-27
12tags:
13    - attack.defense-evasion
14logsource:
15    product: windows
16    category: file_event
17detection:
18    selection:
19        Image|endswith:
20            - \mysqld.exe
21            - \mysqld-nt.exe
22        TargetFilename|endswith:
23            - '.bat'
24            - '.dat'
25            - '.dll'
26            - '.exe'
27            - '.ps1'
28            - '.psm1'
29            - '.vbe'
30            - '.vbs'
31    condition: selection
32falsepositives:
33    - Unknown
34level: high

References

Related rules

to-top