""ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Technique)""
SID: 2015996
Revision: 3
Class Type: attempted-user
Metadata: created_at 2012_12_06, updated_at 2014_07_17
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: any
Destination Network: $SQL_SERVERS
Destination Port: 3306
Flow: to_server,established
Contents:
-
Value: "|03|" Depth: 4 Offset: 3
-
Value: "INSERT INTO"
-
Value: "#pragma namespace("
-
Value: "|5c 5c 5c|.|5c 5c 5c 5c|root|5c 5c 5c 5c|"
-
Value: "__EventFilter"
-
Value: " __InstanceModificationEvent"
-
Value: "TargetInstance"
-
Value: "Win32_LocalTime"
-
Value: "ActiveScriptEventConsumer"
-
Value: "JScript"
-
Value: "WScript.Shell"
-
Value: "WSH.run"
-
Value: ".exe"
-
Value: "__FilterToConsumerBinding"
Within:
PCRE: "/WSH.run\x28\x5c+?[\x22\x27][a-z0-9_-]+?.exe/"
Special Options:
-
nocase
-
nocase
-
nocase
-
nocase
-
nocase
-
nocase
-
nocase
-
nocase
-
nocase
-
nocase
-
nocase