Uncommon File Creation By Mysql Daemon Process
Detects the creation of files with scripting or executable extensions by Mysql daemon. Which could be an indicator of "User Defined Functions" abuse to download malware.
Sigma rule (View on GitHub)
1title: Uncommon File Creation By Mysql Daemon Process
2id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf
3status: experimental
4description: |
5 Detects the creation of files with scripting or executable extensions by Mysql daemon.
6 Which could be an indicator of "User Defined Functions" abuse to download malware.
7references:
8 - https://asec.ahnlab.com/en/58878/
9 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/
10author: Joseph Kamau
11date: 2024/05/27
12tags:
13 - attack.defense_evasion
14logsource:
15 product: windows
16 category: file_event
17detection:
18 selection:
19 Image|endswith:
20 - \mysqld.exe
21 - \mysqld-nt.exe
22 TargetFilename|endswith:
23 - '.bat'
24 - '.dat'
25 - '.dll'
26 - '.exe'
27 - '.ps1'
28 - '.psm1'
29 - '.vbe'
30 - '.vbs'
31 condition: selection
32falsepositives:
33 - Unknown
34level: high
References
Related rules
- PowerShell Base64 Encoded WMI Classes
- Csc.EXE Execution Form Potentially Suspicious Parent
- Dynamic .NET Compilation Via Csc.EXE
- Uncommon Process Access Rights For Target Image
- Malicious DLL File Dropped in the Teams or OneDrive Folder