Listen to this Post

A recent cybersecurity report reveals that threat actors are now installing legitimate database client tools on compromised systems to exfiltrate sensitive data without detection. Attackers use tools like DBeaver, Navicat, and sqlcmd to blend in with normal administrative activities, making it harder for security teams to identify malicious behavior.
Key Tactics:
- Living Off the Land (LOTL): Using trusted database tools to avoid triggering malware alerts.
- Direct Database Queries: Extracting credentials, financial records, and proprietary data via SQL commands.
- Evasion of EDR/XDR: Legitimate tools bypass endpoint detection and response systems.
Source: Threat Actors Installing DB Client Tools on Targeted Systems
You Should Know:
Detecting Unauthorized Database Tool Installations
1. Monitor New Software Installs (Linux/Windows):
Linux (Check recent installs via dpkg/rpm) dpkg --list | grep -i "dbeaver|navicat|sqlcmd" rpm -qa | grep -i "sql-client"
Windows (Check installed programs) Get-WmiObject -Class Win32_Product | Select-Object Name, Version
2. Audit Database Connections:
-- MySQL/MariaDB SELECT FROM mysql.general_log WHERE command_type = 'Query'; -- PostgreSQL SELECT FROM pg_stat_activity WHERE state = 'active';
3. Detect Suspicious SQL Queries:
Log and alert on unusual SELECT/EXPORT commands grep -i "SELECT.FROM.passwords|EXPORT.TO.csv" /var/log/mysql.log
4. Block Unauthorized Tools via Firewall:
Linux (Block outgoing connections from unknown DB tools) iptables -A OUTPUT -p tcp --dport 3306 -m owner --uid-owner suspicious_user -j DROP
Windows (Block using Firewall) New-NetFirewallRule -DisplayName "Block Navicat" -Direction Outbound -Program "C:\Program Files\Navicat\navicat.exe" -Action Block
5. Enable Database Activity Monitoring (DAM):
Use auditd (Linux) to track DB tool executions auditctl -a always,exit -F path=/usr/bin/sqlcmd -F perm=x -k database_tools
What Undercode Say
Attackers are evolving beyond malware, exploiting trusted software to remain undetected. Organizations must:
– Restrict admin tool installations via GPO/Endpoint Management.
– Implement strict database access controls (RBAC, query logging).
– Deploy anomaly detection for unusual SQL query patterns.
– Train SOC teams to recognize LOTL (Living Off the Land) attacks.
Expected Output:
- Alerts on unauthorized database tool usage.
- Logs of suspicious SQL queries for forensic analysis.
- Blocked exfiltration attempts via firewall rules.
Prediction
As detection improves, hackers will shift to memory-based SQL dumping (e.g., mimikatz-style attacks on databases) or abuse cloud CLI tools (e.g., aws rds export, gcloud sql export). Proactive hunting for unusual data exports will become critical.
Relevant Commands for Future Threats:
Monitor AWS RDS Export Activity aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=StartExportTask
Detect GCP SQL Exports gcloud logging read "protoPayload.methodName=cloudsql.instances.export" --limit=10
References:
Reported By: Omar Ahmed – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


