This rule aims to detect malicious behaviors associated with the execution of the BCP (Bulk Copy Program) utility in Microsoft SQL Server environments. The BCP utility can be misused by attackers to export sensitive data from MSSQL databases, especially if they have been able to insert malicious payloads into database columns or tables. By monitoring process creation events for the execution of BCP, particularly when coupled with command-line parameters such as 'out' or 'queryout', security teams can identify potential data exfiltration attempts. It is vital to distinguish between legitimate administrative tasks and potentially harmful actions, with this rule set to alert on specific patterns indicative of misuse, thereby providing a layer of defense against data breaches.