Detect Databases in Google Chronicle
Adversaries may leverage databases to mine valuable information. These databases may be hosted on-premises or in the cloud (both in platform-as-a-service and software-as-a-service environments). Examples of databases from which information may be collected include MySQL, PostgreSQL, MongoDB, Amazon Relational Database Service, Azure SQL Database, Google Firebase, and Snowflake. Databases may include a variety of information of interest to adversaries, such as usernames, hashed passwords, personally identifiable information, and financial data. Threat actors including Sandworm Team, FIN6, Sea Turtle, and UNC5537 have leveraged database administration tools such as Adminer, mysqldump, and sqlcmd to extract schema definitions, user credentials, and bulk records. Data collected from databases may be used for Lateral Movement, Command and Control, or Exfiltration, and may be used to extort victims or sold for profit.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.006 Databases
- Canonical reference
- https://attack.mitre.org/techniques/T1213/006/
YARA-L Detection Query
rule t1213_006_database_collection {
meta:
author = "df00tech Argus"
description = "Detects database data collection activity per MITRE ATT&CK T1213.006. Covers dump tool execution, webshell-driven database client access, bulk extraction flags, and scripting engine-spawned database clients."
mitre_attack_tactic = "Collection"
mitre_attack_technique = "T1213.006"
severity = "HIGH"
confidence = "HIGH"
version = "1.0"
created = "2026-04-19"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
// Match dump tools or database clients
(
re.regex($e.target.process.file.full_path, `(?i)(mysqldump|pg_dump|pg_dumpall|mongodump|sqlite3)(\.exe)?$`)
or (
re.regex($e.target.process.file.full_path, `(?i)(\\|/)(mysql|sqlcmd|psql|mongo|mongosh|osql|bcp|isql)(\.exe)?$`)
and (
// Spawned by web server (webshell indicator)
re.regex($e.principal.process.file.full_path, `(?i)(w3wp|php-cgi|php|httpd|nginx|tomcat9|java)(\.exe)?$`)
or
// Spawned by suspicious scripting engine
re.regex($e.principal.process.file.full_path, `(?i)(wscript|cscript|mshta|rundll32|regsvr32)(\.exe)?$`)
or
// Bulk extraction flags in command line
re.regex($e.target.process.command_line, `(?i)(--all-databases|--databases|into outfile|into dumpfile|select \* from|-e\s+.{0,10}select|-q\s+.{0,10}select)`)
)
)
)
match:
$e.principal.hostname over 5m
outcome:
$risk_score = max(
if(re.regex($e.target.process.file.full_path, `(?i)(mysqldump|pg_dump|pg_dumpall|mongodump|sqlite3)(\.exe)?$`), 30, 0) +
if(re.regex($e.principal.process.file.full_path, `(?i)(w3wp|php-cgi|php|httpd|nginx|tomcat9|java)(\.exe)?$`), 40, 0) +
if(re.regex($e.principal.process.file.full_path, `(?i)(wscript|cscript|mshta|rundll32|regsvr32)(\.exe)?$`), 30, 0) +
if(re.regex($e.target.process.command_line, `(?i)(--all-databases|--databases|into outfile|into dumpfile)`), 25, 0)
)
$detection_type = if(
re.regex($e.target.process.file.full_path, `(?i)(mysqldump|pg_dump|pg_dumpall|mongodump|sqlite3)(\.exe)?$`) and
re.regex($e.principal.process.file.full_path, `(?i)(w3wp|php-cgi|php|httpd|nginx|tomcat9|java)(\.exe)?$`),
"WebShellDumpToolExecution",
if(
re.regex($e.target.process.file.full_path, `(?i)(mysqldump|pg_dump|pg_dumpall|mongodump|sqlite3)(\.exe)?$`),
"DatabaseDumpToolExecution",
if(
re.regex($e.principal.process.file.full_path, `(?i)(w3wp|php-cgi|php|httpd|nginx|tomcat9|java)(\.exe)?$`),
"WebShellDatabaseClientAccess",
if(
re.regex($e.principal.process.file.full_path, `(?i)(wscript|cscript|mshta|rundll32|regsvr32)(\.exe)?$`),
"ScriptEngineSpawnedDBClient",
"BulkDatabaseExtraction"
)
)
)
)
$hostname = $e.principal.hostname
$username = $e.principal.user.userid
$process = $e.target.process.file.full_path
$cmdline = $e.target.process.command_line
$parent_process = $e.principal.process.file.full_path
condition:
$e
}Chronicle YARA-L 2.0 rule detecting database data collection activity (T1213.006). Triggers on PROCESS_LAUNCH events where database dump utilities are executed or database clients are invoked with webshell parent processes, suspicious scripting engine parents, or bulk extraction command-line flags. Computes a composite risk score and classifies events into labelled detection types as outcome variables.
Data Sources
Required Tables
False Positives & Tuning
- Scheduled backup automation that runs mysqldump or pg_dumpall under a service account, particularly if the backup system is web-accessible or triggered via a management portal spawning from an IIS worker
- Database seeding or teardown scripts in containerised development environments where docker exec triggers psql or mongo commands that appear to originate from web server processes
- Security scanning tools such as SQLMap or DB enumeration scripts run during authorised penetration tests that match bulk extraction command-line patterns
Other platforms for T1213.006
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MySQL Full Database Dump via mysqldump
Expected signal: Sysmon Event ID 1: Process Create with Image=mysqldump.exe, CommandLine containing '--all-databases' and '-p'. Sysmon Event ID 3: Network Connection to 127.0.0.1:3306 (or configured MySQL port). Sysmon Event ID 11: File Create for %TEMP%\db_dump_test.sql. Security Event ID 4688 (if command-line auditing enabled) with same process details.
- Test 2SQL Server Schema and User Enumeration via sqlcmd
Expected signal: Sysmon Event ID 1: Process Create with Image=sqlcmd.exe, CommandLine containing '-Q' and 'SELECT' and '-S'. Sysmon Event ID 3: Network Connection to localhost:1433. Sysmon Event ID 11: File Create for %TEMP%\sql_enum_test.txt. PowerShell ScriptBlock Logging will not capture this as it is a native executable.
- Test 3PostgreSQL Database Export via pg_dump
Expected signal: Auditd process execution event for pg_dump with arguments. Syslog entry from PostgreSQL server: connection received from 127.0.0.1, authentication succeeded for user 'postgres'. Network socket activity on TCP 5432. File creation of /tmp/pg_dump_test.backup. If Sysmon for Linux is deployed: Event ID 1 with Image=pg_dump and full CommandLine.
- Test 4Simulated Adminer Webshell Database Access (PowerShell Mimicry)
Expected signal: Sysmon Event ID 1: Process Create with Image=mysql.exe, ParentImage=powershell.exe (in production this would be w3wp.exe or php.exe). CommandLine contains '-e' and 'SELECT'. Sysmon Event ID 3: Network connection to 127.0.0.1:3306 from mysql.exe.
References (10)
- https://attack.mitre.org/techniques/T1213/006/
- https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion
- https://www.mandiant.com/resources/blog/fin6-cybercrime-group-expands-threat-financial-sector
- https://www.welivesecurity.com/en/eset-research/evasive-panda-apt-group-targets-china-leveled-government-agencies/
- https://hunt.io/blog/sea-turtle-cyberattack-targets-dutch-it-and-telecom-companies
- https://www.anssi.fr/en/actualite-de-lANSSI/sandworm-intrusion-set-campaign-targeting-centreon-systems
- https://learn.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview
- https://docs.snowflake.com/en/user-guide/access-history
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1213.006/T1213.006.md
- https://www.elastic.co/guide/en/security/current/database-content-discovery-via-adminer.html
Unlock Pro Content
Get the full detection package for T1213.006 including response playbook, investigation guide, and atomic red team tests.