1. Home
  2. Techniques
  3. Enterprise
  4. Data from Information Repositories
  5. Databases

Data from Information Repositories: Databases

ID Name
T1213.001 Confluence
T1213.002 Sharepoint
T1213.003 Code Repositories
T1213.004 Customer Relationship Management Software
T1213.005 Messaging Applications
T1213.006 Databases

Adversaries may leverage databases to mine valuable information. These databases may be hosted on-premises or in the cloud (both in platform-as-a-service and software-as-a-service environments).

Examples of databases from which information may be collected include MySQL, PostgreSQL, MongoDB, Amazon Relational Database Service, Azure SQL Database, Google Firebase, and Snowflake. Databases may include a variety of information of interest to adversaries, such as usernames, hashed passwords, personally identifiable information, and financial data. Data collected from databases may be used for Lateral Movement, Command and Control, or Exfiltration. Data exfiltrated from databases may also be used to extort victims or may be sold for profit.[1]

ID: T1213.006
Sub-technique of:  T1213
Tactic: Collection
Platforms: IaaS, Linux, SaaS, Windows, macOS
Version: 1.0
Created: 22 May 2025
Last Modified: 21 October 2025
Version Permalink

Procedure Examples

ID Name Description
C0040 APT41 DUST

APT41 DUST collected data from victim Oracle databases using SQLULDR2.[2]
G0037 FIN6

FIN6 has collected schemas and user accounts from systems running SQL Server.[3]
C0049 Leviathan Australian Intrusions

Leviathan gathered information from SQL servers and Building Management System (BMS) servers during Leviathan Australian Intrusions.[4]
S1146 MgBot

MgBot includes a module capable of stealing content from the Tencent QQ database storing user QQ message history on infected devices.[5]
S0598 P.A.S. Webshell

P.A.S. Webshell has the ability to list and extract data from SQL databases.[6]
G0034 Sandworm Team

Sandworm Team exfiltrates data of interest from enterprise databases using Adminer.[7]
G1041 Sea Turtle

Sea Turtle used the tool Adminer to remotely logon to the MySQL service of victim machines.[8]
G0010 Turla

Turla has used a custom .NET tool to collect documents from an organization's internal central database.[9]

Mitigations

ID Mitigation Description
M1047 Audit

Consider periodic review of accounts and privileges for critical and sensitive databases.

M1041 Encrypt Sensitive Information

Encrypt data stored at rest in databases.
M1054 Software Configuration

Consider implementing data retention policies to automate periodically archiving and/or deleting data that is no longer needed.

M1018 User Account Management

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.

M1017 User Training

Develop and publish policies that define acceptable information to be stored in databases and acceptable handling of customer data. Only store information required for business operations.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0242 Suspicious Database Access and Dump Activity Across Environments (T1213.006) AN0676

Unusual database command-line access (e.g., psql, mysql, mongo) from non-admin users, occurring outside typical automation windows or without known service context. Often followed by data dumps to .sql/.csv files or outbound data transfers. Defender sees CLI tools launched interactively or by unusual parent processes, file writes to dump-like filenames, and external connections shortly after.
AN0677

Database client execution (e.g., sqlcmd.exe, isql.exe) by users or from locations not tied to enterprise automation or backups. Often followed by creation of .sql/.bak/.csv files, registry artifacts for ODBC/JDBC drivers, or encrypted ZIPs. Defender sees SQL tools launched by explorer.exe, Powershell, or odd parent processes, plus file writes in user temp locations.
AN0678

Execution of Java-based or CLI database tools (e.g., DBeaver, Beekeeper, mysql, psql) from user profiles not tied to dev/admin roles, especially when followed by file writes and cloud sync activity. Defender correlates GUI tool launches, file write events in ~/Downloads or ~/Documents, and outbound API calls to known cloud services.
AN0679

Database enumeration and export activity (e.g., SELECT * FROM, SHOW DATABASES) issued via ephemeral VMs, admin APIs, or cloud shell from non-monitoring accounts. Defender correlates audit logs (CloudTrail, GCP Admin, AzureDiagnostics), storage write ops, and cross-region transfers by identities not tied to DB operations.
AN0680

Unusual or excessive database/table exports from SaaS database platforms (e.g., Snowflake, Firebase, BigQuery, Airtable) by users or apps not in known analytics or dev groups. Defender observes access patterns outside baseline working hours or with new query templates, and correlates those with audit logs or file downloads.

References

  1. Mandiant. (2024, June 10). UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion. Retrieved May 22, 2025.
  2. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  3. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
  4. CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025.
  5. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  1. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  2. Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
  3. Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024.
  4. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.