Hackers Using Database Tools for Stealthy Data Exfiltration

Listen to this Post

Featured Image
A recent cybersecurity report reveals that threat actors are now installing legitimate database client tools on compromised systems to exfiltrate sensitive data without detection. Attackers use tools like DBeaver, Navicat, and sqlcmd to blend in with normal administrative activities, making it harder for security teams to identify malicious behavior.

Key Tactics:

  • Living Off the Land (LOTL): Using trusted database tools to avoid triggering malware alerts.
  • Direct Database Queries: Extracting credentials, financial records, and proprietary data via SQL commands.
  • Evasion of EDR/XDR: Legitimate tools bypass endpoint detection and response systems.

Source: Threat Actors Installing DB Client Tools on Targeted Systems

You Should Know:

Detecting Unauthorized Database Tool Installations

1. Monitor New Software Installs (Linux/Windows):

 Linux (Check recent installs via dpkg/rpm) 
dpkg --list | grep -i "dbeaver|navicat|sqlcmd" 
rpm -qa | grep -i "sql-client" 
 Windows (Check installed programs) 
Get-WmiObject -Class Win32_Product | Select-Object Name, Version 

2. Audit Database Connections:

-- MySQL/MariaDB 
SELECT  FROM mysql.general_log WHERE command_type = 'Query'; 
-- PostgreSQL 
SELECT  FROM pg_stat_activity WHERE state = 'active'; 

3. Detect Suspicious SQL Queries:

 Log and alert on unusual SELECT/EXPORT commands 
grep -i "SELECT.FROM.passwords|EXPORT.TO.csv" /var/log/mysql.log 

4. Block Unauthorized Tools via Firewall:

 Linux (Block outgoing connections from unknown DB tools) 
iptables -A OUTPUT -p tcp --dport 3306 -m owner --uid-owner suspicious_user -j DROP 
 Windows (Block using Firewall) 
New-NetFirewallRule -DisplayName "Block Navicat" -Direction Outbound -Program "C:\Program Files\Navicat\navicat.exe" -Action Block 

5. Enable Database Activity Monitoring (DAM):

 Use auditd (Linux) to track DB tool executions 
auditctl -a always,exit -F path=/usr/bin/sqlcmd -F perm=x -k database_tools 

What Undercode Say

Attackers are evolving beyond malware, exploiting trusted software to remain undetected. Organizations must:
– Restrict admin tool installations via GPO/Endpoint Management.
– Implement strict database access controls (RBAC, query logging).
– Deploy anomaly detection for unusual SQL query patterns.
– Train SOC teams to recognize LOTL (Living Off the Land) attacks.

Expected Output:

  • Alerts on unauthorized database tool usage.
  • Logs of suspicious SQL queries for forensic analysis.
  • Blocked exfiltration attempts via firewall rules.

Prediction

As detection improves, hackers will shift to memory-based SQL dumping (e.g., mimikatz-style attacks on databases) or abuse cloud CLI tools (e.g., aws rds export, gcloud sql export). Proactive hunting for unusual data exports will become critical.

Relevant Commands for Future Threats:

 Monitor AWS RDS Export Activity 
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=StartExportTask 
 Detect GCP SQL Exports 
gcloud logging read "protoPayload.methodName=cloudsql.instances.export" --limit=10 

References:

Reported By: Omar Ahmed – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram