MSSQL Extended Stored Procedure Backdoor Maggie
This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server
Sigma rule (View on GitHub)
1title: MSSQL Extended Stored Procedure Backdoor Maggie
2id: 711ab2fe-c9ba-4746-8840-5228a58c3cb8
3status: test
4description: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server
5references:
6 - https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01
7author: Denis Szadkowski, DIRT / DCSO CyTec
8date: 2022/10/09
9modified: 2022/10/09
10tags:
11 - attack.persistence
12 - attack.t1546
13 - detection.emerging_threats
14logsource:
15 product: windows
16 service: application
17detection:
18 selection:
19 Provider_Name: 'MSSQLSERVER'
20 EventID: 8128
21 Message|contains: 'maggie'
22 condition: selection
23falsepositives:
24 - Legitimate extended stored procedures named maggie
25level: high
References
Related rules
- SOURGUM Actor Behaviours
- DarkGate - User Created Via Net.EXE
- Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
- Potential CVE-2023-36884 Exploitation Dropped File
- StoneDrill Service Install