rules/_deprecated/execution_mysql_binary.toml

[metadata]
creation_date = "2022/03/09"
deprecation_date = "2022/05/09"
maturity = "deprecated"
updated_date = "2022/05/09"

[rule]
author = ["Elastic"]
description = """
Identifies MySQL server abuse to break out from restricted environments by spawning an interactive system shell. The
MySQL server is an open source relational database management system. The activity of spawning shell is not a standard
use of this binary for a user or system administrator. It indicates a potentially malicious actor attempting to improve
the capabilities or stability of their access.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Linux Restricted Shell Breakout via the mysql command"
references = ["https://gtfobins.github.io/gtfobins/mysql/"]
risk_score = 47
rule_id = "83b2c6e5-e0b2-42d7-8542-8f3af86a1acb"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where event.type == "start" and process.name in ("bash", "sh", "dash") and
  process.parent.name == "mysql" and process.parent.args == "-e" and
  process.parent.args : ("\\!*sh", "\\!*bash", "\\!*dash", "\\!*/bin/sh", "\\!*/bin/bash", "\\!*/bin/dash")
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
mysql shell evasion threat (#1823 ) 2022-03-10 22:36:35 +05:30			`[metadata]`
			`creation_date = "2022/03/09"`
[Rule tuning] Linux binary(s) shell evasion threat (#1957 ) 2022-05-25 08:32:53 +05:30			`deprecation_date = "2022/05/09"`
			`maturity = "deprecated"`
			`updated_date = "2022/05/09"`
mysql shell evasion threat (#1823 ) 2022-03-10 22:36:35 +05:30
			`[rule]`
			`author = ["Elastic"]`
			`description = """`
[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945 ) 2022-05-06 13:21:12 -04:00			`Identifies MySQL server abuse to break out from restricted environments by spawning an interactive system shell. The`
			`MySQL server is an open source relational database management system. The activity of spawning shell is not a standard`
			`use of this binary for a user or system administrator. It indicates a potentially malicious actor attempting to improve`
			`the capabilities or stability of their access.`
mysql shell evasion threat (#1823 ) 2022-03-10 22:36:35 +05:30			`"""`
			`from = "now-9m"`
			`index = ["logs-endpoint.events.*"]`
			`language = "eql"`
			`license = "Elastic License v2"`
			`name = "Linux Restricted Shell Breakout via the mysql command"`
			`references = ["https://gtfobins.github.io/gtfobins/mysql/"]`
			`risk_score = 47`
			`rule_id = "83b2c6e5-e0b2-42d7-8542-8f3af86a1acb"`
			`severity = "medium"`
Updation of Mitre Tactic and Threats (#1850 ) 2022-03-18 15:06:24 +05:30			`tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"]`
mysql shell evasion threat (#1823 ) 2022-03-10 22:36:35 +05:30			`timestamp_override = "event.ingested"`
			`type = "eql"`

			`query = '''`
Expand timestamp override tests (#1907 ) 2022-04-01 15:27:08 -08:00			`process where event.type == "start" and process.name in ("bash", "sh", "dash") and`
			`process.parent.name == "mysql" and process.parent.args == "-e" and`
			`process.parent.args : ("\\!sh", "\\!bash", "\\!dash", "\\!/bin/sh", "\\!/bin/bash", "\\!/bin/dash")`
mysql shell evasion threat (#1823 ) 2022-03-10 22:36:35 +05:30			`'''`


			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
Updation of Mitre Tactic and Threats (#1850 ) 2022-03-18 15:06:24 +05:30			`id = "T1059"`
			`name = "Command and Scripting Interpreter"`
			`reference = "https://attack.mitre.org/techniques/T1059/"`
mysql shell evasion threat (#1823 ) 2022-03-10 22:36:35 +05:30			`[[rule.threat.technique.subtechnique]]`
Updation of Mitre Tactic and Threats (#1850 ) 2022-03-18 15:06:24 +05:30			`id = "T1059.004"`
			`name = "Unix Shell"`
			`reference = "https://attack.mitre.org/techniques/T1059/004/"`
mysql shell evasion threat (#1823 ) 2022-03-10 22:36:35 +05:30


			`[rule.threat.tactic]`
Updation of Mitre Tactic and Threats (#1850 ) 2022-03-18 15:06:24 +05:30			`id = "TA0002"`
			`name = "Execution"`
			`reference = "https://attack.mitre.org/tactics/TA0002/"`
mysql shell evasion threat (#1823 ) 2022-03-10 22:36:35 +05:30