T1213.006 Databases
Adversaries may leverage databases to mine valuable information. These databases may be hosted on-premises or in the cloud (both in platform-as-a-service and software-as-a-service environments).
Examples of databases from which information may be collected include MySQL, PostgreSQL, MongoDB, Amazon Relational Database Service, Azure SQL Database, Google Firebase, and Snowflake. Databases may include a variety of information of interest to adversaries, such as usernames, hashed passwords, personally identifiable information, and financial data. Data collected from databases may be used for Lateral Movement, Command and Control, or Exfiltration. Data exfiltrated from databases may also be used to extort victims or may be sold for profit.1
| Item | Value |
|---|---|
| ID | T1213.006 |
| Sub-techniques | T1213.001, T1213.002, T1213.003, T1213.004, T1213.005, T1213.006 |
| Tactics | TA0009 |
| Platforms | IaaS, Linux, SaaS, Windows, macOS |
| Version | 1.0 |
| Created | 22 May 2025 |
| Last Modified | 21 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| C0040 | APT41 DUST | APT41 DUST collected data from victim Oracle databases using SQLULDR2.9 |
| G0037 | FIN6 | FIN6 has collected schemas and user accounts from systems running SQL Server.5 |
| C0049 | Leviathan Australian Intrusions | Leviathan gathered information from SQL servers and Building Management System (BMS) servers during Leviathan Australian Intrusions.8 |
| S1146 | MgBot | MgBot includes a module capable of stealing content from the Tencent QQ database storing user QQ message history on infected devices.2 |
| S0598 | P.A.S. Webshell | P.A.S. Webshell has the ability to list and extract data from SQL databases.3 |
| G0034 | Sandworm Team | Sandworm Team exfiltrates data of interest from enterprise databases using Adminer.4 |
| G1041 | Sea Turtle | Sea Turtle used the tool Adminer to remotely logon to the MySQL service of victim machines.6 |
| G0010 | Turla | Turla has used a custom .NET tool to collect documents from an organization’s internal central database.7 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Consider periodic review of accounts and privileges for critical and sensitive databases. |
| M1041 | Encrypt Sensitive Information | Encrypt data stored at rest in databases. |
| M1054 | Software Configuration | Consider implementing data retention policies to automate periodically archiving and/or deleting data that is no longer needed. |
| M1018 | User Account Management | Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization. |
| M1017 | User Training | Develop and publish policies that define acceptable information to be stored in databases and acceptable handling of customer data. Only store information required for business operations. |
References
-
Mandiant. (2024, June 10). UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion. Retrieved May 22, 2025. ↩
-
Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024. ↩
-
ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. ↩
-
Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024. ↩
-
Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019. ↩
-
Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024. ↩
-
Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. ↩
-
CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025. ↩
-
Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. ↩