Et rule 2039187 - Magic-SigExplorer

""ET TROJAN MSSQL maggie backdoor sp_addextendedproc Command Observed""

SID: 2039187

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Microsoft_SQL_Server, attack_target SQL_Server, created_at 2022_10_12, deployment Perimeter, deployment Internal, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_10_12

Reference:

Link

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: [$HOME_NET,$SQL_SERVERS]

Destination Port: 1433

Flow: established,to_server

Contents:

Value: "s|00|p|00|_|00|a|00|d|00|d|00|e|00|x|00|t|00|e|00|n|00|d|00|e|00|d|00|p|00|r|00|o|00|c|00 20 00|m|00|a|00|g|00|g|00|i|00|e|00|"

Within:

PCRE:

Special Options:

nocase

source