Webinar - Attacking SQL Server CLR Assemblies

Presented by Scott Sutherland @ NetSPI


During this webinar we’ll be reviewing how to create, import, export, and modify CLR assemblies in SQL Server with the goal of privilege escalation, OS command execution, and persistence. Scott will also share a few PowerUpSQL functions that can be used to execute the CLR attacks on a larger scale in Active Directory environments. This is a live review of content previously covered in the blog

What are SQL Server CLR assemblies?

  1. They are .net DLLs that can be imported into SQL Server to extend the native functionality

  2. All code will run under the context of the SQL Server service account by default

  3. CLR Assemblies are supported by SQL Server 2008 to Present

Pros vs. Cons for Offensive Use Cases


  • Command execution without xp_cmdshell
  • Custom code can be defined
  • Commands can be executed WITHOUT having to access a file on disk
  • Assemblies can be created by a non-sysadmin if privileges are granted


  • Requires server level configuration changes
  • Requires database level configuration changes
  • Doesn’t work well on SQL Server versions prior to 2008

What’s required to use CLR assemblies?

  1. Sysadmin privileges (usually)
    • The following privilege can also work:
    • DDL_ADMIN Role
  2. Server level setting: “clr enabled” set to 1

  3. Server level setting: “clr strict security” set to 0 (2017 and later)

  4. Database level setting: “is_trustworthy” is set to “1”
    • (or) use the default “msdb” database

What’s the high-level process?

  1. Compile a .net assembly DLL
  2. Log into the SQL Server with the required privileges
  3. Configure the SQL Server to meet the minimum requirements
  4. Create Assembly from the file or hex decimal string
    • Note: The assembly is stored in a SQL Server table
  5. Create Procedure that maps to CLR methods
  6. Run your procedure