This rule focuses on detecting the execution of the MSSQL xp_cmdshell stored procedure, which is commonly misused by malicious actors to execute system commands and potentially escalate privileges on Windows systems that utilize Microsoft SQL Server (MSSQL). The xp_cmdshell procedure allows for the execution of shell commands through MSSQL, which is normally disabled for security reasons. The rule triggers on process creation events that involve the sqlservr.exe parent process and specifically looks for potential malicious command executions that may occur via cmd.exe or other suspicious executables such as vpnbridge.exe, certutil.exe, and bitsadmin.exe. A high risk score indicates a strong emphasis on monitoring this behavior due to its implications regarding system security and potential exploitation paths. Investigation steps include analyzing process execution chains, user behavior, and command lines for anomalies, with response recommendations including isolating affected hosts and disabling xp_cmdshell if misused.