This rule checks MySQL database presence

Hunt Hypothesis

Adversaries may attempt to establish a persistent presence in a MySQL database by creating or modifying database objects, which could be an early indicator of compromise. SOC teams should proactively hunt for this behavior to identify potential unauthorized database access or lateral movement in their Azure Sentinel environment.

YARA Rule

rule mysql_database_presence
{
    meta:
        author="CYB3RMX"
        description="This rule checks MySQL database presence"

    strings:
        $db = "MySql.Data"
        $db1 = "MySqlCommand"
        $db2 = "MySqlConnection"
        $db3 = "MySqlDataReader"
        $db4 = "MySql.Data.MySqlClient"

    condition:
        (any of ($db*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: MySQL service is started during routine system maintenance or patching
  Filter/Exclusion: Exclude events where the MySQL service is started by the system administrator using systemctl or service command, and the process is associated with a known maintenance window.
  Example Filter: process.name = "systemctl" AND process.args = "start mysql" AND timestamp between [maintenance_start] and [maintenance_end]

• Scenario: MySQL is used by a legitimate application for data storage (e.g., WordPress, phpMyAdmin)
  Filter/Exclusion: Exclude connections from known internal applications using IP ranges or hostnames.
  Example Filter: src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) OR dst_host = "internal-app-server.example.com"

• Scenario: Scheduled backups are running using tools like mysqldump or Percona Backup
  Filter/Exclusion: Exclude processes initiated by backup scripts or scheduled tasks (e.g., crontab, task scheduler) with known backup tools.
  Example Filter: process.name = "mysqldump" AND process.args LIKE "%--backup%" OR process.name = "percona-xtrabackup"

• Scenario: MySQL is used for internal reporting or analytics via tools like Apache Superset or Metabase
  Filter/Exclusion: Exclude connections from known reporting tools or internal dashboards.
  Example Filter: src_host = "reporting-tool.example.com" OR src_ip = 10.10.10.10

• Scenario: MySQL is used for development or testing environments (e.g., Docker containers, Kubernetes pods)
  **Filter/Exclusion