# Tracking down Maggie

**[medium.com/@DCSO_CyTec/tracking-down-maggie-4d889872513d](https://medium.com/@DCSO_CyTec/tracking-down-maggie-4d889872513d)**

DCSO CyTec Blog October 13, 2022

[DCSO CyTec Blog](https://medium.com/@DCSO_CyTec?source=post_page-----4d889872513d--------------------------------)

Oct 11


7 min read

[In our recent blog post “MSSQL, meet Maggie” we shared our research on a novel backdoor](https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01)
malware targeting Microsoft SQL servers that DCSO CyTec refers to as “Maggie“.

Tracking Down “Maggie”
_Maggie can be summarised as malware that comes in form of an “Extended Stored_
Procedure” DLL, a special type of extension used by Microsoft SQL servers. Once loaded
into a server by an attacker, it is controlled solely using SQL queries and offers a variety of
functionality to run commands, interact with files and function as a network bridge head into
the environment of the infected server.


-----

In this blog post DCSO s Incident Response Team (DIRT) aims to provide security teams
with some insights on how to detect this novel threat in their environment.

_Blog authored by, and_

## Am I affected?

The first question that probably jumped into the minds of the majority of our readers after
reading our blog post “MSSQL, meet Maggie” was “Are my Microsoft SQL servers affected
by this threat?”.

There are multiple ways of identifying the presence of this threat in your environment. A good
starting point for Microsoft SQL administrators is to review the “Extended Stored Procedures”
(ESP) installed on their Microsoft SQL servers. One way of doing that is to use a “System
Stored Procedures” called `sp_helpextendedproc . By specifying the name of the ESP it is`
possible to quickly check if the Microsoft SQL server is affected as shown in the following
figure. If the SQL query does not return any results this means there is no ESP with the
name “maggie”.

Using sp_helpextendedproc to check the presence of Maggie
Another way of verifying if a Microsoft SQL server has been backdoored by this threat actor
is to check the application log. When a ESP is executed, the event id `8128 is logged in the`
application log of the system as can be seen in the figure below.

Execution of the extended stored procedure “maggie”
Furthermore, the application log can easily be searched with the help of the following
PowerShell one-liner. The presented one-liner can also be used in combination with the
PowerShell Cmdlet Invoke-Command to search application logs across multiple systems.
```
Get-EventLog -LogName Application -Source MSSQLSERVER | Where-Object {($_.EventID -eq
8128) -and ($_.Message -like '*maggie*')}

```
If the Microsoft SQL server is affected by this threat the PowerShell one-liner will return
output similar to the one presented in the figure below.

PowerShell one-liner output for affected MSSQL server
In addition to event id `8128 the usage of the ESP will generate the event` `33090 that`
provides information about the ESP DLLs that were recently loaded into the memory of the
Microsoft SQL server process `sqlservr.exe .`

Once the presence of the ESP named “maggie” has been confirmed by using one of the
methods described above, it is recommended to check if the threat actor was able to create
a backdoor database user in the Microsoft SQL server. This can be accomplished with the
SQL query presented below:


-----

```
select sp.name,    sp.type_desc,    sp.create_date,    sp.modify_date,   
case when sp.is_disabled = 1 then ‘Disabled’      else ‘Enabled’ end as
statusfrom sys.server_principals sp order by sp.create_date DESC

```
As described in our previous blog post one of the first things that Maggie does after
successfully bruteforcing its way into a Microsoft SQL server is to check if the current
database user has the administrative role assigned, if this is the case a backdoor database
user is created. The SQL query above will show the most recently added users accounts. It
is recommended to verify if the presented accounts are legitimate.

## Identifying malicious ESPs

After the publication of our Maggie research it is safe to assume that the use of ESPs as a
backdoor mechanism will increase among threat actors targeting Microsoft SQL servers.
Moreover, it can be assumed that the threat actors behind Maggie will take the necessary
steps to change their backdoor to make it harder for defenders to detect it. Because of that a
more generic detection approach is needed to identify malicious ESPs.

One way of accomplishing this goal is to build a baseline of ESPs present in a Microsoft SQL
server and then to monitor the application log for outliers with the help of event ids `8128`
and `33090 . In order to fine-tune detection rules additional criteria can be added e.g., the`
path of the ESP. Under normal circumstances ESP are located in `C:\Program`
```
Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn, which is not always

```
the case for malicious ESPs.

Malicious ESP DLL loaded into sqlservr.exe
[Furthermore, tools like Sysmon from Windows Sysinternals can provide added visibility that](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon)
can help to detect malicious ESPs. For example event id `7 (Image loaded) can be`
leveraged to identify newly loaded ESP DLLs:

ESP DLLs loaded into `sqlservr.exe`
In addition to Sysmon event id `7, Sysmon process creation events can be used to detect`
processes spawned by the malicious ESP. In the following example the malicious ESP
```
ExtendedProcedure.DLL is used to execute the whoami.exe application to find out the

```
current user context:
```
$ exec maggie 'Exec whoami';MSSQL Procedure 12/08/2021Execute Command: Exec whoamint
service\mssqlserver

```
After running the command above the following process creation event is logged by Sysmon.
As presented in the figure below the `ParentImage of the` `whoami.exe application is the`
Microsoft SQL server process `sqlservr.exe` which should ring a bell for the seasoned
defender.

Sysmon process creation event


-----

For organisations that use Microsoft SQL servers but are lacking a SIEM solution a good
practice might be to occasionally check which ESPs are installed on their Microsoft SQL
servers. This can be done by running the “System Stored Procedure” called
```
sp_helpextendedproc without specifying any parameters as shown in the following figure:

```
Listing installed ESPs
When reviewing the installed ESPs Microsoft SQL administrators should focus on ESPs that
are not part of their baseline. Another indicator of a malicious ESP might be the path in which
the ESP DLL is located. Under normal circumstances ESPs are placed under `C:\Program`
```
Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn . In the example

```
above the malicious ESP was placed under `C:\ProgramData to avoid detection.`

## Mitigation

One of the ways that Maggie can compromise Microsoft SQL servers is by using its SQL
bruteforce functionality. In order to thwart bruteforce attempts, it is highly recommend to use
strong passwords for Microsoft SQL accounts and to enforce a strong password policy.
Additionally, the Microsoft SQL database port (default: `1433 ) should never be exposed to`
the Internet. It is sufficient when the front-end tier systems can reach the Microsoft SQL
database.

You can find additional information about securing Microsoft SQL servers at the vendors web
site under [Securing SQL Server.](https://learn.microsoft.com/en-us/sql/relational-databases/security/securing-sql-server?view=sql-server-ver16)

## YARA
```
import "pe"
rule maggie_backdoor{  meta:    description = "Detect MSSQL extended stored
procedure backdoor Maggie files"    author = "Johann Aydinbas, TEC / DCSO CyTec" 
reference = ""  strings:    $ = "Account Owner Not Found For The SID"    $
= "Call SO_UPDATE_ACCEPT_CONTEXT To Get IP"    $ = "Socks5 Stopped Failure"   
$ = "It Has Been Hooked"    $ = "AllowedIP IP Port"    $ = "Wait 5 To 10
Seconds For TS Taking Effect"    $ = "\\Binn\\sqlservr.exe"    $ = "HostList
UserList PassList"    $ = "opends60.dll"    $ = "WinSockScan"    $ =
"ResetClientData"    $ = "ViewClientData"    $ = "ElevateTS"  condition:  
pe.is_pe and     8 of them}

 SIGMA

```

-----

```
title: MSSQL Extended Stored Procedure Backdoor Maggieid: 711ab2fe c9ba 4746 8840
5228a58c3cb8description: This rule detects the execution of the extended storage
procedure backdoor named Maggie in the context of Microsoft SQL servertags:  attack.persistence  - attack.t1546status: experimentaldate: 2022/10/09modified:
2022/10/09references:  - author: Denis Szadkowski, DIRT / DCSO CyTeclogsource:  
product: windows  service: applicationdetection:  selection:    
Provider_Name: 'MSSQLSERVER'    EventID: 8128    Message|contains: 'maggie' 
condition: selectionfalsepositives:  - Legitimate extended stored procedures named
maggielevel: high

```
[win_mssql_sp_maggie.yml](https://github.com/DCSO/sigma/blob/rule_mssql_maggie/rules/windows/builtin/application/win_mssql_sp_maggie.yml)

## Are you affected?

Are you one of the organisations affected by this novel Microsoft SQL server backdoor? We
would like to hear from you! If desired, we can help your organisation to investigate and to
respond to this threat.


-----