Description
Adversaries may leverage databases to mine valuable information. These databases may be hosted on-premises or in the cloud (both in platform-as-a-service and software-as-a-service environments).
Examples of databases from which information may be collected include MySQL, PostgreSQL, MongoDB, Amazon Relational Database Service, Azure SQL Database, Google Firebase, and Snowflake. Databases may include a variety of information of interest to adversaries, such as usernames, hashed passwords, personally identifiable information, and financial data. Data collected from databases may be used for Lateral Movement, Command and Control, or Exfiltration. Data exfiltrated from databases may also be used to extort victims or may be sold for profit.(Citation: Google Cloud Threat Intelligence UNC5537 Snowflake 2024)
Platforms
Mitigations (5)
User TrainingM1017
Develop and publish policies that define acceptable information to be stored in databases and acceptable handling of customer data. Only store information required for business operations.
Encrypt Sensitive InformationM1041
Encrypt data stored at rest in databases.
Software ConfigurationM1054
Consider implementing data retention policies to automate periodically archiving and/or deleting data that is no longer needed.
User Account ManagementM1018
Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.
AuditM1047
Consider periodic review of accounts and privileges for critical and sensitive databases.
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) exfiltrates data of interest from enterprise databases using Adminer.(Citation: Leonard TAG 202... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has collected schemas and user accounts from systems running SQL Server.(Citation: Visa FIN6 Feb 2019) |
| G1041 | Sea Turtle | [Sea Turtle](https://attack.mitre.org/groups/G1041) used the tool Adminer to remotely logon to the MySQL service of victim machines.(Citation: Hunt Se... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used a custom .NET tool to collect documents from an organization's internal central database.(Cita... |
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) has collected data from macOS devices through the gathering of Apple Notes related files by targe... |
| S1146 | MgBot | Malware | [MgBot](https://attack.mitre.org/software/S1146) includes a module capable of stealing content from the Tencent QQ database storing user QQ message hi... |
| S0598 | P.A.S. Webshell | Malware | [P.A.S. Webshell](https://attack.mitre.org/software/S0598) has the ability to list and extract data from SQL databases.(Citation: ANSSI Sandworm Janua... |
References
Frequently Asked Questions
What is T1213.006 (Databases)?
T1213.006 is a MITRE ATT&CK technique named 'Databases'. It belongs to the Collection tactic(s). Adversaries may leverage databases to mine valuable information. These databases may be hosted on-premises or in the cloud (both in platform-as-a-service and software-as-a-service environments). Exa...
How can T1213.006 be detected?
Detection of T1213.006 (Databases) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1213.006?
There are 5 documented mitigations for T1213.006. Key mitigations include: User Training, Encrypt Sensitive Information, Software Configuration, User Account Management, Audit.
Which threat groups use T1213.006?
Known threat groups using T1213.006 include: Sandworm Team, FIN6, Sea Turtle, Turla.