MSSQL Extended Stored Procedure Backdoor Maggie

Jun 4, 2025 · attack.persistence attack.t1546 detection.emerging-threats ·

This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server

Sigma rule (View on GitHub)

 1title: MSSQL Extended Stored Procedure Backdoor Maggie
 2id: 711ab2fe-c9ba-4746-8840-5228a58c3cb8
 3status: test
 4description: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server
 5references:
 6    - https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01
 7author: Denis Szadkowski, DIRT / DCSO CyTec
 8date: 2022-10-09
 9tags:
10    - attack.persistence
11    - attack.t1546
12    - detection.emerging-threats
13logsource:
14    product: windows
15    service: application
16detection:
17    selection:
18        Provider_Name: 'MSSQLSERVER'
19        EventID: 8128
20        Message|contains: 'maggie'
21    condition: selection
22falsepositives:
23    - Legitimate extended stored procedures named maggie
24level: high

References

MSSQL, meet Maggie

A novel backdoor for Microsoft SQL servers controlled using SQL queries

Read More

MSSQL Extended Stored Procedure Backdoor Maggie

Sigma rule (View on GitHub)

References

MSSQL, meet Maggie

Related rules