From 9f1034507615e0f1b81ba5866d5302fc3cf474bd Mon Sep 17 00:00:00 2001 From: skaynum <152009163+skaynum@users.noreply.github.com> Date: Mon, 27 May 2024 17:48:54 +0300 Subject: [PATCH] Merge PR #4840 from @skaynum - Add new rules related to MySQL daemon and potential phishing attempts new: Uncommon File Creation By Mysql Daemon Process new: Potential Suspicious Browser Launch From Document Reader Process --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...vent_win_mysqld_uncommon_file_creation.yml | 34 +++++++++++++++++ ...er_launch_from_document_reader_process.yml | 37 +++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml diff --git a/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml b/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml new file mode 100644 index 00000000000..d60c5a3fcb8 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml @@ -0,0 +1,34 @@ +title: Uncommon File Creation By Mysql Daemon Process +id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf +status: experimental +description: | + Detects the creation of files with scripting or executable extensions by Mysql daemon. + Which could be an indicator of "User Defined Functions" abuse to download malware. +references: + - https://asec.ahnlab.com/en/58878/ + - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/ +author: Joseph Kamau +date: 2024/05/27 +tags: + - attack.defense_evasion +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: + - \mysqld.exe + - \mysqld-nt.exe + TargetFilename|endswith: + - '.bat' + - '.dat' + - '.dll' + - '.exe' + - '.ps1' + - '.psm1' + - '.vbe' + - '.vbs' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml b/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml new file mode 100644 index 00000000000..9235887ad2d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml @@ -0,0 +1,37 @@ +title: Potential Suspicious Browser Launch From Document Reader Process +id: 1193d960-2369-499f-a158-7b50a31df682 +status: experimental +description: | + Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt. +references: + - https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ # PDF Document + - https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ # Office Document +author: Joseph Kamau +date: 2024/05/27 +tags: + - attack.execution + - attack.t1204.002 +logsource: + product: windows + category: process_creation +detection: + selection: + ParentImage|contains: + - 'Acrobat Reader' + - 'Microsoft Office' + - 'PDF Reader' + Image|endswith: + - '\brave.exe' + - '\chrome.exe' + - '\firefox.exe' + - '\msedge.exe' + - '\opera.exe' + - '\maxthon.exe' + - '\seamonkey.exe' + - '\vivaldi.exe' + - '' + CommandLine|contains: 'http' + condition: selection +falsepositives: + - Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed. +level: medium