""ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Techique DUMP INTO executable)""
SID: 2015995
Revision: 4
Class Type: attempted-user
Metadata: created_at 2012_12_06, updated_at 2012_12_06
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: any
Destination Network: $SQL_SERVERS
Destination Port: 3306
Flow: to_server,established
Contents:
-
Value: "|03|" Depth: 4 Offset: 3
-
Value: "SELECT data FROM"
-
Value: "INTO DUMPFILE"
-
Value: "c|3a|/windows/system32/"
-
Value: ".exe"
Within:
PCRE: "/SELECT data FROM [^\x20]+?\x20INTO DUMPFILE [\x27\x22]c\x3a\/windows\/system32\/[a-z0-9_-]+?.exe[\x27\x22]/i"
Special Options:
-
nocase
-
nocase
-
nocase
-
fast_pattern
-
nocase