The hypothesis is that an adversary is leveraging the MySQL daemon process to create malicious files with scripting or executable extensions to execute arbitrary code. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of the database service and prevent lateral movement or data exfiltration.
Detection Rule
title: Uncommon File Creation By Mysql Daemon Process
id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf
status: test
description: |
Detects the creation of files with scripting or executable extensions by Mysql daemon.
Which could be an indicator of "User Defined Functions" abuse to download malware.
references:
- https://asec.ahnlab.com/en/58878/
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/
author: Joseph Kamau
date: 2024-05-27
tags:
- attack.defense-evasion
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- \mysqld.exe
- \mysqld-nt.exe
TargetFilename|endswith:
- '.bat'
- '.dat'
- '.dll'
- '.exe'
- '.ps1'
- '.psm1'
- '.vbe'
- '.vbs'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where (TargetFilePath endswith "\\mysqld.exe" or TargetFilePath endswith "\\mysqld-nt.exe") and (TargetFileName endswith ".bat" or TargetFileName endswith ".dat" or TargetFileName endswith ".dll" or TargetFileName endswith ".exe" or TargetFileName endswith ".ps1" or TargetFileName endswith ".psm1" or TargetFileName endswith ".vbe" or TargetFileName endswith ".vbs")Scenario: MySQL server is used to run a scheduled backup job that generates temporary script files for data extraction.
Filter/Exclusion: Exclude files created in known backup directories (e.g., /var/backups/mysql/) or files with specific naming patterns (e.g., backup_*.sh).
Scenario: A system administrator uses MySQL to execute a custom shell script for database maintenance, which creates a temporary .sh file in the /tmp directory.
Filter/Exclusion: Exclude files created in /tmp/ or files with a specific prefix like temp_script_.
Scenario: A legitimate application uses MySQL to generate configuration files with .cfg or .conf extensions during deployment.
Filter/Exclusion: Exclude files created in application-specific directories (e.g., /opt/app/config/) or files with known application-specific naming conventions.
Scenario: MySQL is configured to log to a custom log file with a .log extension, which is created by the daemon process.
Filter/Exclusion: Exclude files created in log directories (e.g., /var/log/mysql/) or files with specific log file names (e.g., mysql.log).
Scenario: A developer uses MySQL to run a Python script (e.g., myscript.py) that generates a temporary file for processing.
Filter/Exclusion: Exclude files created in development directories (e.g., /home/dev/project/tmp/) or files with known development tool naming patterns.