Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threathightest

MSSQL Extended Stored Procedure Backdoor Maggie

This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Denis Szadkowski, DIRT / DCSO CyTecCreated Sun Oct 09711ab2fe-c9ba-4746-8840-5228a58c3cb82022
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
Windowsapplication
ProductWindows← raw: windows
Serviceapplication← raw: application
Detection Logic
Detection Logic1 selector
detection:
    selection:
        Provider_Name: 'MSSQLSERVER'
        EventID: 8128
        Message|contains: 'maggie'
    condition: selection
False Positives

Legitimate extended stored procedures named maggie

References
1
Resolving title…
medium.com
MITRE ATT&CK

Other

detection.emerging-threats
Rule Metadata
Rule ID
711ab2fe-c9ba-4746-8840-5228a58c3cb8
Status
test
Level
high
Type
Emerging Threat
Created
Sun Oct 09
Author
Denis Szadkowski, DIRT / DCSO CyTec
Path
rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1546detection.emerging-threats
View on GitHub