MSSQL Extended Stored Procedure Backdoor Maggie

Aug 12, 2024 · attack.persistence attack.t1546 detection.emerging-threats ·

This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server

Sigma rule (View on GitHub)

 1title: MSSQL Extended Stored Procedure Backdoor Maggie
 2id: 711ab2fe-c9ba-4746-8840-5228a58c3cb8
 3status: test
 4description: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server
 5references:
 6    - https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01
 7author: Denis Szadkowski, DIRT / DCSO CyTec
 8date: 2022-10-09
 9modified: 2022-10-09
10tags:
11    - attack.persistence
12    - attack.t1546
13    - detection.emerging-threats
14logsource:
15    product: windows
16    service: application
17detection:
18    selection:
19        Provider_Name: 'MSSQLSERVER'
20        EventID: 8128
21        Message|contains: 'maggie'
22    condition: selection
23falsepositives:
24    - Legitimate extended stored procedures named maggie
25level: high

References

MSSQL, meet Maggie

A novel backdoor for Microsoft SQL servers controlled using SQL queries

Read More

MSSQL Extended Stored Procedure Backdoor Maggie

Sigma rule (View on GitHub)

References

MSSQL, meet Maggie

Related rules