This detection rule aims to identify when SQL Server loads DLLs that execute extended stored procedures, a feature that can be abused by malicious actors. The rule focuses on specific procedures known to pose security risks, such as `xp_cmdshell` and `sp_OACreate`. Since legitimate database operations often involve these procedures, awareness of the DLLs being loaded and their versions is crucial for distinguishing between normal operations and potential intrusions. The rule utilizes the Windows Event Log (Event Code 8128) to extract DLL loading events and categorize them based on predefined criteria. By analyzing the frequency and context of these events, security teams can detect anomalous behavior indicative of potential exploitation or unauthorized use of SQL Server capabilities.