CLR shell

CLR SqlShell is a malware strain that targets poorly managed Microsoft SQL (MS SQL) servers by exploiting the Common Language Runtime (CLR) stored procedures feature. Once installed, it enables attackers to execute arbitrary commands, perform privilege escalation, and deploy additional malicious payloads such as cryptocurrency miners and ransomware. Notably, the Trigona ransomware has been observed utilizing CLR SqlShell to compromise MS SQL servers. Attackers often gain initial access through brute-force or dictionary attacks on servers with weak credentials, subsequently leveraging CLR SqlShell to maintain persistence and control over the compromised systems.