title: Databases (T1213.006)
id: df00tech-t1213-006
status: experimental
description: "Adversaries may leverage databases to mine valuable information. These databases may be hosted on-premises or in the cloud (both in platform-as-a-service and software-as-a-service environments). Examples of databases from which information may be collected include MySQL, PostgreSQL, MongoDB, Amazon Relational Database Service, Azure SQL Database, Google Firebase, and Snowflake. Databases may include a variety of information of interest to adversaries, such as usernames, hashed passwords, personally identifiable information, and financial data. Threat actors including Sandworm Team, FIN6, Sea Turtle, and UNC5537 have leveraged database administration tools such as Adminer, mysqldump, and sqlcmd to extract schema definitions, user credentials, and bulk records. Data collected from databases may be used for Lateral Movement, Command and Control, or Exfiltration, and may be used to extort victims or sold for profit."
references:
  - https://attack.mitre.org/techniques/T1213/006/
  - https://df00tech.com/detections/T1213.006
author: df00tech
date: 2026/04/19
tags:
  - attack.t1213.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Database administrators legitimately running mysqldump, pg_dump, or mongodump as part of scheduled backup jobs — cross-reference with change management tickets and verify execution time matches backup schedule"
  - "Application deployment pipelines (CI/CD systems like Jenkins or GitLab runners) running database migration scripts that invoke psql, sqlcmd, or mysql with SELECT/schema queries"
  - "Monitoring and observability agents (Datadog, Nagios, Zabbix) that invoke database clients to run health check queries against local or remote database instances"
  - "Developers on workstations using database clients (mysql.exe, psql.exe) interactively for legitimate application development and testing against local or staging databases"
  - Java-based application servers (java.exe) that manage their own JDBC database connections may appear as a suspicious parent for database activity in environments without a dedicated DB tier
level: high