T1213.006

Databases

Adversaries may leverage databases to mine valuable information. These databases may be hosted on-premises or in the cloud (both in platform-as-a-service and software-as-a-service environments). Examples of databases from which information may be collected include MySQL, PostgreSQL, MongoDB, Amazon Relational Database Service, Azure SQL Database, Google Firebase, and Snowflake. Databases may include a variety of information of interest to adversaries, such as usernames, hashed passwords, personally identifiable information, and financial data. Threat actors including Sandworm Team, FIN6, Sea Turtle, and UNC5537 have leveraged database administration tools such as Adminer, mysqldump, and sqlcmd to extract schema definitions, user credentials, and bulk records. Data collected from databases may be used for Lateral Movement, Command and Control, or Exfiltration, and may be used to extort victims or sold for profit.

Microsoft Sentinel / Defender

kusto

let DatabaseDumpTools = dynamic([
    "mysqldump.exe", "mysqldump",
    "pg_dump.exe", "pg_dump",
    "pg_dumpall.exe", "pg_dumpall",
    "mongodump.exe", "mongodump",
    "sqlite3.exe", "sqlite3"
]);
let DatabaseClients = dynamic([
    "mysql.exe", "mysql",
    "sqlcmd.exe", "sqlcmd",
    "psql.exe", "psql",
    "mongo.exe", "mongo",
    "mongosh.exe", "mongosh",
    "osql.exe", "osql",
    "bcp.exe", "bcp",
    "isql.exe", "isql"
]);
let WebServerProcesses = dynamic([
    "w3wp.exe", "php-cgi.exe", "php.exe", "httpd.exe",
    "nginx.exe", "tomcat9.exe", "java.exe"
]);
let SuspiciousScriptEngines = dynamic([
    "wscript.exe", "cscript.exe", "mshta.exe",
    "rundll32.exe", "regsvr32.exe"
]);
let BulkExtractionPatterns = dynamic([
    "--all-databases", "-A ", "--databases",
    "INTO OUTFILE", "into outfile",
    "INTO DUMPFILE", "into dumpfile",
    "SELECT * FROM", "select * from",
    "-e \"SELECT", "-Q \"SELECT",
    "--query", "-q "
]);
// Part 1: Any execution of a database dump/export utility
let DumpToolExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (DatabaseDumpTools)
| extend DetectionType = "DatabaseDumpToolExecution",
         WebShellIndicator = InitiatingProcessFileName has_any (WebServerProcesses),
         SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousScriptEngines);
// Part 2: Database clients spawned directly by web server worker processes (Adminer / P.A.S. webshell pattern)
let WebShellDBAccess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (DatabaseClients)
| where InitiatingProcessFileName has_any (WebServerProcesses)
| extend DetectionType = "WebShellDatabaseClientAccess",
         WebShellIndicator = true,
         SuspiciousParent = false;
// Part 3: Database clients with bulk extraction flags or inline query patterns
let BulkExtraction = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (DatabaseClients)
| where ProcessCommandLine has_any (BulkExtractionPatterns)
| extend DetectionType = "BulkDatabaseExtraction",
         WebShellIndicator = InitiatingProcessFileName has_any (WebServerProcesses),
         SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousScriptEngines);
// Part 4: Database clients spawned by suspicious scripting engines (post-exploitation staging)
let ScriptEngineDBAccess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (DatabaseClients)
| where InitiatingProcessFileName has_any (SuspiciousScriptEngines)
| extend DetectionType = "ScriptEngineSpawnedDBClient",
         WebShellIndicator = false,
         SuspiciousParent = true;
// Union all detection patterns
union DumpToolExec, WebShellDBAccess, BulkExtraction, ScriptEngineDBAccess
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionType, WebShellIndicator, SuspiciousParent
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Database administrators legitimately running mysqldump, pg_dump, or mongodump as part of scheduled backup jobs — cross-reference with change management tickets and verify execution time matches backup schedule
Application deployment pipelines (CI/CD systems like Jenkins or GitLab runners) running database migration scripts that invoke psql, sqlcmd, or mysql with SELECT/schema queries
Monitoring and observability agents (Datadog, Nagios, Zabbix) that invoke database clients to run health check queries against local or remote database instances
Developers on workstations using database clients (mysql.exe, psql.exe) interactively for legitimate application development and testing against local or staging databases
Java-based application servers (java.exe) that manage their own JDBC database connections may appear as a suspicious parent for database activity in environments without a dedicated DB tier

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ImageLower=lower(Image), ParentImageLower=lower(ParentImage), CmdLower=lower(CommandLine)
| eval IsDumpTool=if(match(ImageLower, "(mysqldump|pg_dump|pg_dumpall|mongodump|sqlite3)(\.exe)?$"), 1, 0)
| eval IsDBClient=if(match(ImageLower, "(\\\\)(mysql|sqlcmd|psql|mongo|mongosh|osql|bcp|isql)(\.exe)?$"), 1, 0)
| eval IsWebServerParent=if(match(ParentImageLower, "(w3wp|php-cgi|php|httpd|nginx|tomcat|java)(\.exe)?$"), 1, 0)
| eval IsSuspiciousScriptParent=if(match(ParentImageLower, "(wscript|cscript|mshta|rundll32|regsvr32)(\.exe)?$"), 1, 0)
| eval HasBulkFlag=if(match(CmdLower, "(--all-databases|-a\s+|--databases|into outfile|into dumpfile|select \\* from|-e\s+.{0,5}select|-q\s+.{0,5}select)"), 1, 0)
| where (IsDumpTool=1)
    OR (IsDBClient=1 AND IsWebServerParent=1)
    OR (IsDBClient=1 AND HasBulkFlag=1)
    OR (IsDBClient=1 AND IsSuspiciousScriptParent=1)
| eval DetectionType=case(
    IsDumpTool=1 AND IsWebServerParent=1, "WebShellDumpToolExecution",
    IsDumpTool=1, "DatabaseDumpToolExecution",
    IsDBClient=1 AND IsWebServerParent=1, "WebShellDatabaseClientAccess",
    IsDBClient=1 AND IsSuspiciousScriptParent=1, "ScriptEngineSpawnedDBClient",
    IsDBClient=1 AND HasBulkFlag=1, "BulkDatabaseExtraction",
    true(), "DatabaseCollectionActivity"
)
| eval RiskScore=IsDumpTool + IsWebServerParent + IsSuspiciousScriptParent + HasBulkFlag
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        DetectionType, RiskScore, IsWebServerParent, HasBulkFlag, IsSuspiciousScriptParent
| sort - RiskScore, - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Scheduled database backup jobs executing mysqldump, pg_dump, or mongodump under a service account — verify against backup schedule and authorized service account list
CI/CD pipeline agents (Jenkins, GitLab Runner, TeamCity) invoking database clients for automated schema migrations, seed data loading, or integration test setup
Database health monitoring tools (Nagios check_mysql, pg_activity, MongoDB Atlas agent) running as background services that periodically invoke database clients
Developer workstations where engineers use database clients interactively — exclude known developer hostnames or user accounts from the alert
Application servers using embedded database engines (SQLite, H2) where java.exe or python.exe may appear as a parent of sqlite3.exe during normal operation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  CASE
    WHEN LOWER("Image") MATCHES '.*?(mysqldump|pg_dump|pg_dumpall|mongodump|sqlite3)(\.exe)?$' AND LOWER("ParentImage") MATCHES '.*?(w3wp|php-cgi|php|httpd|nginx|tomcat|java)(\.exe)?$' THEN 'WebShellDumpToolExecution'
    WHEN LOWER("Image") MATCHES '.*?(mysqldump|pg_dump|pg_dumpall|mongodump|sqlite3)(\.exe)?$' THEN 'DatabaseDumpToolExecution'
    WHEN LOWER("Image") MATCHES '.*?(mysql|sqlcmd|psql|mongo|mongosh|osql|bcp|isql)(\.exe)?$' AND LOWER("ParentImage") MATCHES '.*?(w3wp|php-cgi|php|httpd|nginx|tomcat|java)(\.exe)?$' THEN 'WebShellDatabaseClientAccess'
    WHEN LOWER("Image") MATCHES '.*?(mysql|sqlcmd|psql|mongo|mongosh|osql|bcp|isql)(\.exe)?$' AND LOWER("ParentImage") MATCHES '.*?(wscript|cscript|mshta|rundll32|regsvr32)(\.exe)?$' THEN 'ScriptEngineSpawnedDBClient'
    WHEN LOWER("Image") MATCHES '.*?(mysql|sqlcmd|psql|mongo|mongosh|osql|bcp|isql)(\.exe)?$' AND (LOWER("CommandLine") LIKE '%--all-databases%' OR LOWER("CommandLine") LIKE '%into outfile%' OR LOWER("CommandLine") LIKE '%select * from%' OR LOWER("CommandLine") LIKE '%--databases%') THEN 'BulkDatabaseExtraction'
    ELSE 'DatabaseCollectionActivity'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID = 13 /* Microsoft Windows Security Event Log */
  AND eventid = 1 /* Sysmon Process Create */
  AND (
    LOWER("Image") MATCHES '.*?(mysqldump|pg_dump|pg_dumpall|mongodump|sqlite3)(\.exe)?$'
    OR (
      LOWER("Image") MATCHES '.*?(mysql|sqlcmd|psql|mongo|mongosh|osql|bcp|isql)(\.exe)?$'
      AND (
        LOWER("ParentImage") MATCHES '.*?(w3wp|php-cgi|php|httpd|nginx|tomcat|java)(\.exe)?$'
        OR LOWER("ParentImage") MATCHES '.*?(wscript|cscript|mshta|rundll32|regsvr32)(\.exe)?$'
        OR LOWER("CommandLine") LIKE '%--all-databases%'
        OR LOWER("CommandLine") LIKE '%into outfile%'
        OR LOWER("CommandLine") LIKE '%into dumpfile%'
        OR LOWER("CommandLine") LIKE '%select * from%'
        OR LOWER("CommandLine") LIKE '%-e "select%'
        OR LOWER("CommandLine") LIKE '%-q "select%'
      )
    )
  )
  AND LAST 24 HOURS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM with Sysmon forwarding via WinCollect or Sysmon Universal DSM

Required Tables

events

False Positives

Scheduled database backup scripts running under service accounts during approved maintenance windows will trigger DatabaseDumpToolExecution alerts
Application health-check scripts that use sqlcmd or psql to verify database connectivity, especially if launched from IIS worker processes in development environments
Database migration tooling invoked by deployment automation that passes inline SQL statements matching SELECT * FROM or bulk extraction patterns

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*
| where EventID = 1
| parse field=Image "*" as process_image nodrop
| parse field=ParentImage "*" as parent_image nodrop
| parse field=CommandLine "*" as command_line nodrop
| eval image_lower = toLowerCase(process_image)
| eval parent_lower = toLowerCase(parent_image)
| eval cmd_lower = toLowerCase(command_line)
| eval is_dump_tool = if(matches(image_lower, ".*?(mysqldump|pg_dump|pg_dumpall|mongodump|sqlite3)(\.exe)?$"), 1, 0)
| eval is_db_client = if(matches(image_lower, ".*?(\\\\)(mysql|sqlcmd|psql|mongo|mongosh|osql|bcp|isql)(\.exe)?$"), 1, 0)
| eval is_webserver_parent = if(matches(parent_lower, ".*?(w3wp|php-cgi|php|httpd|nginx|tomcat|java)(\.exe)?$"), 1, 0)
| eval is_suspicious_script_parent = if(matches(parent_lower, ".*?(wscript|cscript|mshta|rundll32|regsvr32)(\.exe)?$"), 1, 0)
| eval has_bulk_flag = if(
    matches(cmd_lower, ".*(--all-databases|--databases|into outfile|into dumpfile|select \\* from|-e\s+.{0,10}select|-q\s+.{0,10}select).*"), 1, 0
  )
| where is_dump_tool = 1
    OR (is_db_client = 1 AND is_webserver_parent = 1)
    OR (is_db_client = 1 AND has_bulk_flag = 1)
    OR (is_db_client = 1 AND is_suspicious_script_parent = 1)
| eval detection_type = if(is_dump_tool = 1 AND is_webserver_parent = 1, "WebShellDumpToolExecution",
    if(is_dump_tool = 1, "DatabaseDumpToolExecution",
      if(is_db_client = 1 AND is_webserver_parent = 1, "WebShellDatabaseClientAccess",
        if(is_db_client = 1 AND is_suspicious_script_parent = 1, "ScriptEngineSpawnedDBClient",
          if(is_db_client = 1 AND has_bulk_flag = 1, "BulkDatabaseExtraction", "DatabaseCollectionActivity")
        )
      )
    )
  )
| eval risk_score = is_dump_tool + is_webserver_parent + is_suspicious_script_parent + has_bulk_flag
| fields _messageTime, ComputerName, User, process_image, command_line, parent_image, detection_type, risk_score, is_webserver_parent, has_bulk_flag, is_suspicious_script_parent
| sort by risk_score desc, _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Sysmon source Sumo Logic Cloud SIEM with Windows endpoint source

Required Tables

Windows Sysmon logs via _sourceCategory

False Positives

Database reliability engineers running mysqldump or pg_dumpall manually for point-in-time snapshots during incident response or capacity planning exercises
Web application frameworks such as Laravel Artisan or Django management commands that shell out to psql or mysql for migrate or dbshell commands, spawned from PHP or Java web server worker processes
Data engineering pipelines that use bcp or sqlcmd with inline SELECT queries to export data into CSV files for analytics, commonly seen in ETL environments

Google Chronicle / SecOps

yaral

rule t1213_006_database_collection {
  meta:
    author = "df00tech Argus"
    description = "Detects database data collection activity per MITRE ATT&CK T1213.006. Covers dump tool execution, webshell-driven database client access, bulk extraction flags, and scripting engine-spawned database clients."
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1213.006"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-19"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"

    // Match dump tools or database clients
    (
      re.regex($e.target.process.file.full_path, `(?i)(mysqldump|pg_dump|pg_dumpall|mongodump|sqlite3)(\.exe)?$`)
      or (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)(mysql|sqlcmd|psql|mongo|mongosh|osql|bcp|isql)(\.exe)?$`)
        and (
          // Spawned by web server (webshell indicator)
          re.regex($e.principal.process.file.full_path, `(?i)(w3wp|php-cgi|php|httpd|nginx|tomcat9|java)(\.exe)?$`)
          or
          // Spawned by suspicious scripting engine
          re.regex($e.principal.process.file.full_path, `(?i)(wscript|cscript|mshta|rundll32|regsvr32)(\.exe)?$`)
          or
          // Bulk extraction flags in command line
          re.regex($e.target.process.command_line, `(?i)(--all-databases|--databases|into outfile|into dumpfile|select \* from|-e\s+.{0,10}select|-q\s+.{0,10}select)`)
        )
      )
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if(re.regex($e.target.process.file.full_path, `(?i)(mysqldump|pg_dump|pg_dumpall|mongodump|sqlite3)(\.exe)?$`), 30, 0) +
      if(re.regex($e.principal.process.file.full_path, `(?i)(w3wp|php-cgi|php|httpd|nginx|tomcat9|java)(\.exe)?$`), 40, 0) +
      if(re.regex($e.principal.process.file.full_path, `(?i)(wscript|cscript|mshta|rundll32|regsvr32)(\.exe)?$`), 30, 0) +
      if(re.regex($e.target.process.command_line, `(?i)(--all-databases|--databases|into outfile|into dumpfile)`), 25, 0)
    )
    $detection_type = if(
      re.regex($e.target.process.file.full_path, `(?i)(mysqldump|pg_dump|pg_dumpall|mongodump|sqlite3)(\.exe)?$`) and
      re.regex($e.principal.process.file.full_path, `(?i)(w3wp|php-cgi|php|httpd|nginx|tomcat9|java)(\.exe)?$`),
      "WebShellDumpToolExecution",
      if(
        re.regex($e.target.process.file.full_path, `(?i)(mysqldump|pg_dump|pg_dumpall|mongodump|sqlite3)(\.exe)?$`),
        "DatabaseDumpToolExecution",
        if(
          re.regex($e.principal.process.file.full_path, `(?i)(w3wp|php-cgi|php|httpd|nginx|tomcat9|java)(\.exe)?$`),
          "WebShellDatabaseClientAccess",
          if(
            re.regex($e.principal.process.file.full_path, `(?i)(wscript|cscript|mshta|rundll32|regsvr32)(\.exe)?$`),
            "ScriptEngineSpawnedDBClient",
            "BulkDatabaseExtraction"
          )
        )
      )
    )
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process = $e.target.process.file.full_path
    $cmdline = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM with Windows Sysmon or Defender for Endpoint telemetry Chronicle Forwarder with endpoint process event ingestion

Required Tables

PROCESS_LAUNCH UDM events

False Positives

Scheduled backup automation that runs mysqldump or pg_dumpall under a service account, particularly if the backup system is web-accessible or triggered via a management portal spawning from an IIS worker
Database seeding or teardown scripts in containerised development environments where docker exec triggers psql or mongo commands that appear to originate from web server processes
Security scanning tools such as SQLMap or DB enumeration scripts run during authorised penetration tests that match bulk extraction command-line patterns

CrowdStrike LogScale (CQL)

cql

// T1213.006 — Database Collection Detection
// Covers: dump tool execution, webshell DB access, bulk extraction flags, script engine spawned DB clients

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(mysqldump|pg_dump|pg_dumpall|mongodump|sqlite3|mysql|sqlcmd|psql|mongosh?|osql|bcp|isql)(\.exe)?$/
| eval IsDumpTool = if(ImageFileName =~ /(?i)(mysqldump|pg_dump|pg_dumpall|mongodump|sqlite3)(\.(exe))?$/, "true", "false")
| eval IsDBClient = if(ImageFileName =~ /(?i)(mysql|sqlcmd|psql|mongosh?|osql|bcp|isql)(\.(exe))?$/, "true", "false")
| eval IsWebServerParent = if(ParentBaseFileName =~ /(?i)(w3wp|php-cgi|php|httpd|nginx|tomcat9|java)(\.(exe))?$/, "true", "false")
| eval IsSuspiciousScriptParent = if(ParentBaseFileName =~ /(?i)(wscript|cscript|mshta|rundll32|regsvr32)(\.(exe))?$/, "true", "false")
| eval HasBulkFlag = if(CommandLine =~ /(?i)(--all-databases|--databases|into outfile|into dumpfile|select \* from|-e\s+.{0,10}select|-q\s+.{0,10}select)/, "true", "false")
| where IsDumpTool = "true"
    OR (IsDBClient = "true" AND IsWebServerParent = "true")
    OR (IsDBClient = "true" AND HasBulkFlag = "true")
    OR (IsDBClient = "true" AND IsSuspiciousScriptParent = "true")
| eval DetectionType = case(
    IsDumpTool = "true" AND IsWebServerParent = "true", "WebShellDumpToolExecution",
    IsDumpTool = "true", "DatabaseDumpToolExecution",
    IsDBClient = "true" AND IsWebServerParent = "true", "WebShellDatabaseClientAccess",
    IsDBClient = "true" AND IsSuspiciousScriptParent = "true", "ScriptEngineSpawnedDBClient",
    IsDBClient = "true" AND HasBulkFlag = "true", "BulkDatabaseExtraction",
    true(), "DatabaseCollectionActivity"
  )
| eval RiskScore = (if(IsDumpTool = "true", 1, 0) + if(IsWebServerParent = "true", 2, 0) + if(IsSuspiciousScriptParent = "true", 2, 0) + if(HasBulkFlag = "true", 1, 0))
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, IsWebServerParent, HasBulkFlag, IsSuspiciousScriptParent], function=count(as=EventCount))
| sort(RiskScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection with full process telemetry enabled Falcon Data Replicator or Falcon LogScale connector

Required Tables

ProcessRollup2 (Falcon event stream)

False Positives

Database backup jobs managed by enterprise backup solutions such as Veeam or Commvault that invoke mysqldump or pg_dump via scheduled tasks, potentially appearing with elevated risk scores if run under web application service accounts
Developer workstations where Docker-based development environments execute psql or mongo inside containers, which may surface as anomalous parent-child process relationships in the Falcon sensor telemetry
Red team or penetration testing engagements that intentionally exercise database enumeration tools including sqlcmd with inline SELECT queries or mongodump against authorised target systems

Last updated: 2026-04-19 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1213.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1213Data from Information Repositories

Related Sub-techniques

T1213.001Confluence T1213.002Sharepoint T1213.003Code Repositories T1213.004Customer Relationship Management Software T1213.005Messaging Applications

Databases

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections