This detection rule identifies anomalous activity related to SQL Server startup procedures. Startup procedures are scripts that are automatically executed when the SQL Server starts. Attackers may use this feature to achieve persistence by registering malicious procedures, potentially allowing them to execute operating system commands or gain elevated privileges on the server. The rule processes Windows SQL Server event logs for Event ID 17135 and uses regular expressions to capture the names of startup procedures being executed. It assigns risk scores based on the presence of certain patterns in the procedure names, such as 'xp_', 'sp_', 'cmdshell', 'shell', or 'exec', which are indicative of potentially malicious activity. If a suspicious procedure is detected, a risk message is generated detailing the executed startup procedure and its associated host. The detection is designed to be implemented in environments where SQL Server is logging application events, ensuring that thorough monitoring is in place to enhance security postures against potential SQL Server abuse.