This detection rule identifies the creation of uncommon file types by the MySQL daemon process, specifically targeting processes such as `mysqld.exe` and `mysqld-nt.exe`. The presence of scripting or executable files, with extensions like `.bat`, `.ps1`, `.vbs`, among others, indicates possible malicious activity, particularly through the abuse of User Defined Functions (UDF) which can be exploited to facilitate malware downloads. By monitoring file creation events linked to these processes, the rule helps in detecting potential threats and malware infections linked to improper use of MySQL functionalities. The detection focuses on two main components: the image name of the running process and the file extensions of created files. If both parameters match the defined criteria, an alert is triggered.