Merge pull request #3580 from DCSO/rule_mssql_maggie

MSSQL stored procedure - maggie

rules/windows/builtin/application/win_mssql_sp_maggie.yml

@@ -0,0 +1,24 @@
+title: MSSQL Extended Stored Procedure Backdoor Maggie
+id: 711ab2fe-c9ba-4746-8840-5228a58c3cb8
+description: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server
+tags:
+    - attack.persistence
+    - attack.t1546
+status: experimental
+date: 2022/10/09
+modified: 2022/10/09
+references:
+    - https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01
+author: Denis Szadkowski, DIRT / DCSO CyTec
+logsource:
+    product: windows
+    service: application
+detection:
+    selection:
+        Provider_Name: 'MSSQLSERVER'
+        EventID: 8128
+        Message|contains: 'maggie'
+    condition: selection
+falsepositives:
+    - Legitimate extended stored procedures named maggie
+level: high