Jeff Iannucci talks xp_cmdshell:
That most likely means the hacker in the incident gained access to SQL Server, and then used xp_cmdshell to open a Windows command shell. With that shell opened, they could then pass DOS and/or PowerShell commands to collect information and download malware onto the server.
It sounds dangerous. It is. But whether or not xp_cmdshell is enabled is irrelevant.
Exactly. This is something Sean McCown has harped upon for years, and I’ve done my best to follow. You can do bad things with xp_cmdshell, but disabling it doesn’t actually help for reasons Jeff mentions. Instead, assuming you need xp_cmdshell for some work, don’t go beyond the pre-set limitations (where a user needs sysadmin or CONTROL SERVER) and it’s fine.