Suspicious Browser Launch

rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml

@@ -0,0 +1,34 @@
+title: Uncommon File Creation By Mysql Daemon Process
+id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf
+status: experimental
+description: |
+    Detects the creation of files with scripting or executable extensions by Mysql daemon.
+    Which could be an indicator of "User Defined Functions" abuse to download malware.
+references:
+    - https://asec.ahnlab.com/en/58878/
+    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/
+author: Joseph Kamau
+date: 2024/05/27
+tags:
+    - attack.defense_evasion
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        Image|endswith:
+            - \mysqld.exe
+            - \mysqld-nt.exe
+        TargetFilename|endswith:
+            - '.bat'
+            - '.dat'
+            - '.dll'
+            - '.exe'
+            - '.ps1'
+            - '.psm1'
+            - '.vbe'
+            - '.vbs'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml

@@ -0,0 +1,37 @@
+title: Potential Suspicious Browser Launch From Document Reader
+id: 1193d960-2369-499f-a158-7b50a31df682
+status: experimental
+description: |
+    Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
+references:
+    - https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ # PDF Document
+    - https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ # Office Document
+author: Joseph Kamau
+date: 2024/05/27
+tags:
+    - attack.execution
+    - attack.t1204.002
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        ParentImage|contains:
+            - 'Acrobat Reader'
+            - 'Microsoft Office'
+            - 'PDF Reader'
+        Image|endswith:
+            - '\brave.exe'
+            - '\chrome.exe'
+            - '\firefox.exe'
+            - '\msedge.exe'
+            - '\opera.exe'
+            - '\maxthon.exe'
+            - '\seamonkey.exe'
+            - '\vivaldi.exe'
+            - ''
+        CommandLine|contains: 'http'
+    condition: selection
+falsepositives:
+    - Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed.
+level: medium