legitimate use of the feature by administrators (rare)

windows
sigma

Techniques

Sample rules

MSSQL SPProcoption Set

source: sigma
technicques:

Description

Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started

Detection logic

condition: selection
selection:
  Data|contains|all:
  - object_name:sp_procoption
  - statement:EXEC
  EventID: 33205
  Provider_Name|contains: MSSQL