-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
…and potential phishing attempts new: Uncommon File Creation By Mysql Daemon Process new: Potential Suspicious Browser Launch From Document Reader Process --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
- Loading branch information
Showing
2 changed files
with
71 additions
and
0 deletions.
There are no files selected for viewing
34 changes: 34 additions & 0 deletions
34
rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
title: Uncommon File Creation By Mysql Daemon Process | ||
id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf | ||
status: experimental | ||
description: | | ||
Detects the creation of files with scripting or executable extensions by Mysql daemon. | ||
Which could be an indicator of "User Defined Functions" abuse to download malware. | ||
references: | ||
- https://asec.ahnlab.com/en/58878/ | ||
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/ | ||
author: Joseph Kamau | ||
date: 2024/05/27 | ||
tags: | ||
- attack.defense_evasion | ||
logsource: | ||
product: windows | ||
category: file_event | ||
detection: | ||
selection: | ||
Image|endswith: | ||
- \mysqld.exe | ||
- \mysqld-nt.exe | ||
TargetFilename|endswith: | ||
- '.bat' | ||
- '.dat' | ||
- '.dll' | ||
- '.exe' | ||
- '.ps1' | ||
- '.psm1' | ||
- '.vbe' | ||
- '.vbs' | ||
condition: selection | ||
falsepositives: | ||
- Unknown | ||
level: high |
37 changes: 37 additions & 0 deletions
37
...s/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
title: Potential Suspicious Browser Launch From Document Reader Process | ||
id: 1193d960-2369-499f-a158-7b50a31df682 | ||
status: experimental | ||
description: | | ||
Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt. | ||
references: | ||
- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ # PDF Document | ||
- https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ # Office Document | ||
author: Joseph Kamau | ||
date: 2024/05/27 | ||
tags: | ||
- attack.execution | ||
- attack.t1204.002 | ||
logsource: | ||
product: windows | ||
category: process_creation | ||
detection: | ||
selection: | ||
ParentImage|contains: | ||
- 'Acrobat Reader' | ||
- 'Microsoft Office' | ||
- 'PDF Reader' | ||
Image|endswith: | ||
- '\brave.exe' | ||
- '\chrome.exe' | ||
- '\firefox.exe' | ||
- '\msedge.exe' | ||
- '\opera.exe' | ||
- '\maxthon.exe' | ||
- '\seamonkey.exe' | ||
- '\vivaldi.exe' | ||
- '' | ||
CommandLine|contains: 'http' | ||
condition: selection | ||
falsepositives: | ||
- Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed. | ||
level: medium |