MSSQL Extended Stored Procedure Backdoor Maggie

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1546 detection.emerging-threats  ·
Share on: linkedin copy

This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server

Sigma rule (View on GitHub)

 1title: MSSQL Extended Stored Procedure Backdoor Maggie
 2id: 711ab2fe-c9ba-4746-8840-5228a58c3cb8
 3status: test
 4description: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server
 5references:
 6    - https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01
 7author: Denis Szadkowski, DIRT / DCSO CyTec
 8date: 2022-10-09
 9tags:
10    - attack.privilege-escalation
11    - attack.persistence
12    - attack.t1546
13    - detection.emerging-threats
14logsource:
15    product: windows
16    service: application
17detection:
18    selection:
19        Provider_Name: 'MSSQLSERVER'
20        EventID: 8128
21        Message|contains: 'maggie'
22    condition: selection
23falsepositives:
24    - Legitimate extended stored procedures named maggie
25level: high

References

Related rules

to-top