Uncommon File Creation By Mysql Daemon Process

Apr 28, 2026 · attack.stealth ·

Detects the creation of files with scripting or executable extensions by Mysql daemon. Which could be an indicator of "User Defined Functions" abuse to download malware.

Sigma rule (View on GitHub)

 1title: Uncommon File Creation By Mysql Daemon Process
 2id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf
 3status: test
 4description: |
 5    Detects the creation of files with scripting or executable extensions by Mysql daemon.
 6    Which could be an indicator of "User Defined Functions" abuse to download malware.    
 7references:
 8    - https://asec.ahnlab.com/en/58878/
 9    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/
10author: Joseph Kamau
11date: 2024-05-27
12tags:
13    - attack.stealth
14logsource:
15    product: windows
16    category: file_event
17detection:
18    selection:
19        Image|endswith:
20            - \mysqld.exe
21            - \mysqld-nt.exe
22        TargetFilename|endswith:
23            - '.bat'
24            - '.dat'
25            - '.dll'
26            - '.exe'
27            - '.ps1'
28            - '.psm1'
29            - '.vbe'
30            - '.vbs'
31    condition: selection
32falsepositives:
33    - Unknown
34level: high

Uncommon File Creation By Mysql Daemon Process

Sigma rule (View on GitHub)

References

https://asec.ahnlab.com/en/58878/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/

Related rules