Uncommon File Creation By Mysql Daemon Process

Severity: high
Author: Joseph Kamau
Source: upstream

Detects the creation of files with scripting or executable extensions by Mysql daemon. Which could be an indicator of "User Defined Functions" abuse to download malware.

Event coverage

Provider	Event ID	Title
Sysmon	11	FileCreate

Stages and Predicates

Stage 1: `selection`

or:
Image|endswith: '\mysqld-nt.exe'
Image|endswith: '\mysqld.exe'
or:
TargetFilename|endswith: .bat
TargetFilename|endswith: .dat
TargetFilename|endswith: .dll
TargetFilename|endswith: .exe
TargetFilename|endswith: .ps1
TargetFilename|endswith: .psm1
TargetFilename|endswith: .vbe
TargetFilename|endswith: .vbs

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\mysqld-nt.exe` `\mysqld.exe`
`TargetFilename`	ends_with	`.bat` corpus 15 (sigma 15) `.dat` corpus 2 (sigma 2) `.dll` corpus 21 (sigma 21) `.exe` corpus 18 (sigma 18) `.ps1` corpus 15 (sigma 15) `.psm1` corpus 4 (sigma 4) `.vbe` corpus 13 (sigma 13) `.vbs` corpus 16 (sigma 16)

Uncommon File Creation By Mysql Daemon Process

Event coverage

Stages and Predicates

Stage 1: selection

Indicators

Stage 1: `selection`