From 01ca4712f3315c9cdb9126716bbccfd690fc2b41 Mon Sep 17 00:00:00 2001 From: Hendrik Baecker Date: Wed, 12 Oct 2022 08:51:08 +0200 Subject: [PATCH 1/2] MSSQL stored procedure - maggie --- .../application/win_mssql_sp_maggie.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/builtin/application/win_mssql_sp_maggie.yml diff --git a/rules/windows/builtin/application/win_mssql_sp_maggie.yml b/rules/windows/builtin/application/win_mssql_sp_maggie.yml new file mode 100644 index 000000000..5c2c213fe --- /dev/null +++ b/rules/windows/builtin/application/win_mssql_sp_maggie.yml @@ -0,0 +1,24 @@ +title: MSSQL extended stored procedure backdoor Maggie +id: 711ab2fe-c9ba-4746-8840-5228a58c3cb8 +description: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server +tags: + - attack.persistence + - attack.t1546 +status: experimental +date: 2022/10/09 +modified: 2022/10/09 +references: + - https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01 +author: Denis Szadkowski, DIRT / DCSO CyTec +logsource: + product: windows + service: application +detection: + selection: + Provider_Name: 'MSSQLSERVER' + EventID: 8128 + Message|contains: 'maggie' + condition: selection +falsepositives: + - Legitimate extended stored procedures named maggie +level: high From aa3c93e8dc4c84072cd127ef23f5285daa9fa272 Mon Sep 17 00:00:00 2001 From: Hendrik Baecker Date: Wed, 12 Oct 2022 09:05:27 +0200 Subject: [PATCH 2/2] Changed title --- rules/windows/builtin/application/win_mssql_sp_maggie.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/application/win_mssql_sp_maggie.yml b/rules/windows/builtin/application/win_mssql_sp_maggie.yml index 5c2c213fe..e408312e2 100644 --- a/rules/windows/builtin/application/win_mssql_sp_maggie.yml +++ b/rules/windows/builtin/application/win_mssql_sp_maggie.yml @@ -1,4 +1,4 @@ -title: MSSQL extended stored procedure backdoor Maggie +title: MSSQL Extended Stored Procedure Backdoor Maggie id: 711ab2fe-c9ba-4746-8840-5228a58c3cb8 description: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server tags: