Full Report
In recent breach incidents, threat actors have been observed not only accessing systems, but also directly querying internal databases and stealing sensitive information. Particularly, more threat actors are installing DB client tools directly on targeted systems to exfiltrate data, and legitimate tools such as DBeaver, Navicat, and sqlcmd are being used in this process. […]
Analysis Summary
# Tool/Technique: DBeaver
## Overview
DBeaver is an open-source, GUI-based database client tool used for querying, data lookup, and exporting data from various relational databases. Threat actors utilize it post-compromise to connect to internal databases and exfiltrate sensitive information, mimicking legitimate administrator activity.
## Technical Details
- Type: Tool (Legitimate Software used maliciously)
- Platform: Windows (Tested environment)
- Capabilities: Query execution, data lookup, table/query result export (CSV, Excel, JSON), connection history logging.
- First Seen: N/A (As a commonly used legitimate tool exploited by threat actors)
## MITRE ATT&CK Mapping
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Implied, as exported data needs to leave the system)
- T1048 - Exfiltration Over Alternative Protocol (Data exported locally before external exfiltration)
- TA0005 - Defense Evasion
- T1036 - Masquerading
- T1036.005 - Match Legitimate Name or Location
- TA0007 - Discovery
- T1046 - Network Service Scanning (Implied via database connection checks)
## Functionality
### Core Capabilities
- Execution of SQL queries against connected databases.
- Exporting query results or entire tables into common file formats (CSV, Excel, JSON).
- Recording connection history, execution times, and version information in log files.
### Advanced Features
- Built-in GUI simplifies complex data extraction compared to command-line tools.
- Debug logs record specific export activities, including the string "Export to the new file" followed by details like the table name and timestamp.
## Indicators of Compromise
- File Hashes: N/A
- File Names: `dbeaver-debug.log`, `.log`, Exported files often follow the pattern: `${table}_${timestamp}.txt`
- Registry Keys: N/A
- Network Indicators: N/A (Connection details are stored within log files, but the tool itself requires the threat actor to input the DB address/port)
- Behavioral Indicators: Installation detected via web browser post-RDP access; presence of DBeaver logs in user application data paths, indicating use for data theft after lateral movement or initial access.
## Associated Threat Actors
Threat actors observed exploiting this behavior (specific groups not named in the provided text, but associated with data exfiltration post-breach).
## Detection Methods
- Signature-based detection: Low efficacy due to the legitimate nature of the tool.
- Behavioral detection: Monitoring for the creation and execution history of unknown installations of DBeaver, especially if it falls outside standard operational use procedures (EDR is recommended).
- YARA rules if available: N/A in the source text.
## Mitigation Strategies
- Utilize behavior-based security solutions (EDR) to detect the creation and execution of non-standard software like DBeaver.
- If DBeaver usage is not required organizationally, actively block its execution.
- Regularly audit DB logs for unexpected administrative access patterns.
- Implement strict Principle of Least Privilege for database accounts.
- Restrict database access IPs to known, necessary administrative jump boxes or secure ranges.
## Related Tools/Techniques
- Navicat
- sqlcmd
***
# Tool/Technique: Navicat
## Overview
Navicat is commercial database management software (with a free trial available) that supports multiple databases. Threat actors use it as a GUI tool to execute SQL queries and export data, leveraging its accessible structure following a system compromise.
## Technical Details
- Type: Tool (Legitimate Commercial Software exploited)
- Platform: Windows (Tested environment)
- Capabilities: SQL querying, data manipulation, data export features.
- First Seen: N/A
## MITRE ATT&CK Mapping
- TA0010 - Exfiltration
- T1048 - Exfiltration Over Alternative Protocol
- TA0005 - Defense Evasion
- T1036 - Masquerading
## Functionality
### Core Capabilities
- Provides a graphical interface for interacting with databases.
- Allows exporting query results.
### Advanced Features
- Data export history might be indirectly traceable via file remnants (e.g., `.nexptmssql` profile files) containing structured settings for the export task, including target table and file path.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Profile files often named `.nexptmssql` (XML-based structure containing export settings).
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Presence of `.nexptmssql` files in predictable Navicat configuration directories. Note: Windows export details are *not* saved in the default log file.
## Associated Threat Actors
Threat actors observed exploiting this behavior.
## Detection Methods
- Signature-based detection: Low.
- Behavioral detection: Monitoring for the creation/execution of Navicat, especially if unlicensed or installed in unusual directories. Focus on artifact analysis for `.nexptmssql` files.
- YARA rules if available: N/A in the source text.
## Mitigation Strategies
- Strict control over software installation on critical systems.
- EDR monitoring for execution and file generation related to Navicat.
- Rigorous auditing of system and application logs, focusing on post-compromise installation artifacts.
## Related Tools/Techniques
- DBeaver
- sqlcmd
***
# Tool/Technique: sqlcmd
## Overview
`sqlcmd` is a command-line utility (a LOLBin) provided with Microsoft SQL Server tools. Threat actors use it to directly interact with MS-SQL databases from the command line, often embedded within batch scripts, to query metadata and exfiltrate data.
## Technical Details
- Type: Tool (Legitimate Microsoft Utility/LOLBin)
- Platform: Windows (Used against MS-SQL)
- Capabilities: Command-line execution of SQL queries, saving query results directly to external files using the `SELECT` statement syntax.
- First Seen: N/A (Standard utility)
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (Executing batch scripts containing sqlcmd)
- TA0010 - Exfiltration
- T1048 - Exfiltration Over Alternative Protocol (Data saved locally then exfiltrated)
- TA0007 - Discovery
- T1082 - System Information Discovery (Used to query database metadata/tables)
## Functionality
### Core Capabilities
- Executing SQL queries directly from the command line or via batch scripts.
- Storing query results (e.g., table information) into files (e.g., `.dat` format) using standard SQL output methods.
### Advanced Features
- When `SELECT` statements are used to save data directly to a file (rather than outputting to stdout), standard MS-SQL server logs may not record the data extraction, making detection reliant on system artifacts.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Batch script files containing `sqlcmd` commands, output files named using the pattern `[Table Name].dat`.
- Registry Keys: N/A
- Network Indicators: Process activity showing `sqlcmd.exe` communicating with the data (implied command line connection activity recorded in SRUM artifacts).
- Behavioral Indicators: Execution of `sqlcmd.exe` from unusual contexts or batch scripts, especially when used to execute bulk table enumeration commands followed by file output redirection.
## Associated Threat Actors
Threat actors utilizing MS-SQL exploitation paths.
## Detection Methods
- Signature-based detection: Difficult if used sparingly or via legitimate path.
- Behavioral detection: Heavily rely on monitoring for `sqlcmd.exe` running and communicating, or when it's used within non-standard batch processes initiating file writes.
- YARA rules if available: N/A in the source text.
## Mitigation Strategies
- Strict access control on MS-SQL server.
- Monitor System Resource Usage Monitor (SRUM) artifacts for unexplained process activity from `sqlcmd.exe`.
- Restrict file creation permissions in high-value directories.
- Avoid storing sensitive DB connection credentials insecurely (email, text files).
## Related Tools/Techniques
- DBeaver
- Navicat