T1213.006 Microsoft Sentinel · KQL

Detect Databases in Microsoft Sentinel

Adversaries may leverage databases to mine valuable information. These databases may be hosted on-premises or in the cloud (both in platform-as-a-service and software-as-a-service environments). Examples of databases from which information may be collected include MySQL, PostgreSQL, MongoDB, Amazon Relational Database Service, Azure SQL Database, Google Firebase, and Snowflake. Databases may include a variety of information of interest to adversaries, such as usernames, hashed passwords, personally identifiable information, and financial data. Threat actors including Sandworm Team, FIN6, Sea Turtle, and UNC5537 have leveraged database administration tools such as Adminer, mysqldump, and sqlcmd to extract schema definitions, user credentials, and bulk records. Data collected from databases may be used for Lateral Movement, Command and Control, or Exfiltration, and may be used to extort victims or sold for profit.

MITRE ATT&CK

Tactic
Collection
Technique
T1213 Data from Information Repositories
Sub-technique
T1213.006 Databases
Canonical reference
https://attack.mitre.org/techniques/T1213/006/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let DatabaseDumpTools = dynamic([
    "mysqldump.exe", "mysqldump",
    "pg_dump.exe", "pg_dump",
    "pg_dumpall.exe", "pg_dumpall",
    "mongodump.exe", "mongodump",
    "sqlite3.exe", "sqlite3"
]);
let DatabaseClients = dynamic([
    "mysql.exe", "mysql",
    "sqlcmd.exe", "sqlcmd",
    "psql.exe", "psql",
    "mongo.exe", "mongo",
    "mongosh.exe", "mongosh",
    "osql.exe", "osql",
    "bcp.exe", "bcp",
    "isql.exe", "isql"
]);
let WebServerProcesses = dynamic([
    "w3wp.exe", "php-cgi.exe", "php.exe", "httpd.exe",
    "nginx.exe", "tomcat9.exe", "java.exe"
]);
let SuspiciousScriptEngines = dynamic([
    "wscript.exe", "cscript.exe", "mshta.exe",
    "rundll32.exe", "regsvr32.exe"
]);
let BulkExtractionPatterns = dynamic([
    "--all-databases", "-A ", "--databases",
    "INTO OUTFILE", "into outfile",
    "INTO DUMPFILE", "into dumpfile",
    "SELECT * FROM", "select * from",
    "-e \"SELECT", "-Q \"SELECT",
    "--query", "-q "
]);
// Part 1: Any execution of a database dump/export utility
let DumpToolExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (DatabaseDumpTools)
| extend DetectionType = "DatabaseDumpToolExecution",
         WebShellIndicator = InitiatingProcessFileName has_any (WebServerProcesses),
         SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousScriptEngines);
// Part 2: Database clients spawned directly by web server worker processes (Adminer / P.A.S. webshell pattern)
let WebShellDBAccess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (DatabaseClients)
| where InitiatingProcessFileName has_any (WebServerProcesses)
| extend DetectionType = "WebShellDatabaseClientAccess",
         WebShellIndicator = true,
         SuspiciousParent = false;
// Part 3: Database clients with bulk extraction flags or inline query patterns
let BulkExtraction = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (DatabaseClients)
| where ProcessCommandLine has_any (BulkExtractionPatterns)
| extend DetectionType = "BulkDatabaseExtraction",
         WebShellIndicator = InitiatingProcessFileName has_any (WebServerProcesses),
         SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousScriptEngines);
// Part 4: Database clients spawned by suspicious scripting engines (post-exploitation staging)
let ScriptEngineDBAccess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (DatabaseClients)
| where InitiatingProcessFileName has_any (SuspiciousScriptEngines)
| extend DetectionType = "ScriptEngineSpawnedDBClient",
         WebShellIndicator = false,
         SuspiciousParent = true;
// Union all detection patterns
union DumpToolExec, WebShellDBAccess, BulkExtraction, ScriptEngineDBAccess
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionType, WebShellIndicator, SuspiciousParent
| sort by Timestamp desc
high severity high confidence

Detects database collection activity using Microsoft Defender for Endpoint DeviceProcessEvents telemetry. Identifies four patterns: (1) execution of database dump/export utilities such as mysqldump, pg_dump, and mongodump; (2) database clients spawned directly by web server worker processes, indicating Adminer-style webshell access (Sandworm/Sea Turtle TTPs); (3) database clients invoked with bulk extraction flags such as --all-databases or inline SELECT * queries; and (4) database clients spawned by suspicious scripting engines like wscript.exe or cscript.exe, indicating post-exploitation staging. Each result is annotated with the detection type and risk indicators for analyst triage.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Database administrators legitimately running mysqldump, pg_dump, or mongodump as part of scheduled backup jobs — cross-reference with change management tickets and verify execution time matches backup schedule
  • Application deployment pipelines (CI/CD systems like Jenkins or GitLab runners) running database migration scripts that invoke psql, sqlcmd, or mysql with SELECT/schema queries
  • Monitoring and observability agents (Datadog, Nagios, Zabbix) that invoke database clients to run health check queries against local or remote database instances
  • Developers on workstations using database clients (mysql.exe, psql.exe) interactively for legitimate application development and testing against local or staging databases
  • Java-based application servers (java.exe) that manage their own JDBC database connections may appear as a suspicious parent for database activity in environments without a dedicated DB tier
Download portable Sigma rule (.yml)

Other platforms for T1213.006

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MySQL Full Database Dump via mysqldump

    Expected signal: Sysmon Event ID 1: Process Create with Image=mysqldump.exe, CommandLine containing '--all-databases' and '-p'. Sysmon Event ID 3: Network Connection to 127.0.0.1:3306 (or configured MySQL port). Sysmon Event ID 11: File Create for %TEMP%\db_dump_test.sql. Security Event ID 4688 (if command-line auditing enabled) with same process details.

  2. Test 2SQL Server Schema and User Enumeration via sqlcmd

    Expected signal: Sysmon Event ID 1: Process Create with Image=sqlcmd.exe, CommandLine containing '-Q' and 'SELECT' and '-S'. Sysmon Event ID 3: Network Connection to localhost:1433. Sysmon Event ID 11: File Create for %TEMP%\sql_enum_test.txt. PowerShell ScriptBlock Logging will not capture this as it is a native executable.

  3. Test 3PostgreSQL Database Export via pg_dump

    Expected signal: Auditd process execution event for pg_dump with arguments. Syslog entry from PostgreSQL server: connection received from 127.0.0.1, authentication succeeded for user 'postgres'. Network socket activity on TCP 5432. File creation of /tmp/pg_dump_test.backup. If Sysmon for Linux is deployed: Event ID 1 with Image=pg_dump and full CommandLine.

  4. Test 4Simulated Adminer Webshell Database Access (PowerShell Mimicry)

    Expected signal: Sysmon Event ID 1: Process Create with Image=mysql.exe, ParentImage=powershell.exe (in production this would be w3wp.exe or php.exe). CommandLine contains '-e' and 'SELECT'. Sysmon Event ID 3: Network connection to 127.0.0.1:3306 from mysql.exe.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1213.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1213Data from Information Repositories

Related Sub-techniques

T1213.001ConfluenceT1213.002SharepointT1213.003Code RepositoriesT1213.004Customer Relationship Management SoftwareT1213.005Messaging Applications

Related Techniques

T1213Data from Information RepositoriesT1213.002SharepointT1005Data from Local SystemT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1560.001Archive via UtilityT1078Valid AccountsT1190Exploit Public-Facing ApplicationT1505.003Web ShellT1552.001Credentials In Files

Same Tactic: Collection

Popular Detections