Uncommon File Creation By Mysql Daemon Process

calendar May 27, 2024 · attack.defense_evasion  ·
Share on: linkedin copy

Detects the creation of files with scripting or executable extensions by Mysql daemon. Which could be an indicator of "User Defined Functions" abuse to download malware.

Sigma rule (View on GitHub)

 1title: Uncommon File Creation By Mysql Daemon Process
 2id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf
 3status: experimental
 4description: |
 5    Detects the creation of files with scripting or executable extensions by Mysql daemon.
 6    Which could be an indicator of "User Defined Functions" abuse to download malware.    
 7references:
 8    - https://asec.ahnlab.com/en/58878/
 9    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/
10author: Joseph Kamau
11date: 2024/05/27
12tags:
13    - attack.defense_evasion
14logsource:
15    product: windows
16    category: file_event
17detection:
18    selection:
19        Image|endswith:
20            - \mysqld.exe
21            - \mysqld-nt.exe
22        TargetFilename|endswith:
23            - '.bat'
24            - '.dat'
25            - '.dll'
26            - '.exe'
27            - '.ps1'
28            - '.psm1'
29            - '.vbe'
30            - '.vbs'
31    condition: selection
32falsepositives:
33    - Unknown
34level: high

References

  • Ddostf DDoS Bot Malware Attacking MySQL Servers - ASEC BLOG

    The AhnLab Security Emergency response Center’s (ASEC) analysis team is constantly monitoring malware distributed to vulnerable database servers. MySQL server is one of the main database servers that provides the feature of managing large amounts of data in a corporate or user environment. Typically, in Windows environments, MS-SQL is primarily installed for database services, while in Linux environments, database services like MySQL and PostgreSQL are used. However, although not as frequently as MS-SQL servers, there are instances where MySQL servers are installed on Windows since DBMS services like MySQL also support Windows environments. Consequently, attacks targeting MySQL servers running in Windows environments are constantly being identified. Based on the information from our AhnLab Smart Defense (ASD) logs, it appears that...


    Read More

  • Honeypot Recon: MySQL Malware Infection via User-Defined Functions (UDF)

    One such intriguing method that recently surfaced is MySQL servers, leveraging SQL commands to stealthily infiltrate, deploy, and activate malicious payloads.


    Read More

Related rules

to-top