Ddos 
In recent breach incidents, threat actors have evolved their methods beyond traditional intrusion tactics, now opting for a quieter, more surgical approach: the direct installation of database (DB) client tools on compromised systems. A new report from the AhnLab SEcurity intelligence Center (ASEC) sheds light on how this emerging technique is helping cybercriminals fly under the radar and exfiltrate sensitive data with tools that often masquerade as standard administrative software.
“Threat actors have been observed not only accessing systems, but also directly querying internal databases and stealing sensitive information,” the report notes.
The investigation focused on three widely-used DB client tools: DBeaver, Navicat, and sqlcmd. While these tools are typically used by legitimate administrators, threat actors are increasingly installing them post-compromise to conduct reconnaissance and export database contents directly.
“These behaviors are easy to disguise as those of a legitimate administrator, making them difficult to detect,” the report explains. Once installed, these tools allow attackers to issue SQL commands, browse data structures, and export valuable information without raising red flags.
DBeaver, an open-source GUI tool, supports export of query results in formats like CSV and Excel. This process leaves behind a digital footprint.
“The debug logs record not only the data export history, but also the DBeaver version, installation path, execution time, and termination time,” the report says.
Investigators found that the ‘dbeaver-debug.log’ and ‘.log’ files can provide insight into unauthorized data exports. For example, a threat actor used DBeaver to extract table data in a format like ${table}_${timestamp}.txt, leaving behind query history and failed access attempts.
Navicat, a commercial tool with a free trial, is another favorite for attackers. While its Windows logs are limited, the presence of .nexptmssql profile files can expose export activities.
“The threat actor installed Navicat version 17… and used the Export feature to save the data in the table in the form of a <DB name>.mdb file,” the report describes.
In Linux environments, however, exported data can be tracked via LogExport.txt, though it’s overwritten with each new run, making long-term forensics challenging.
Perhaps the most stealthy of the trio, sqlcmd is a command-line utility bundled with Microsoft SQL Server—making it a Living off the Land Binary (LoLBin).
“Threat actors use sqlcmd to send SQL query commands and perform actions such as table queries and database backups,” the report explains.
Because it’s native to Windows environments, its use typically doesn’t trigger antivirus alerts. However, researchers found SRUM artifacts and SQL Error and Trace logs that could indicate suspicious usage—especially when batch scripts are used to automate table dumps.
The common thread in these breaches is that attackers had already obtained valid credentials and connection information prior to using these tools. This underscores the need for organizations to proactively monitor their environments.
“From the perspective of responding to a breach, it is crucial to analyze the system and log traces described above to quickly identify what data the threat actor accessed,” the report urges.
Security teams are advised to:
- Monitor log directories for tool-specific traces.
- Restrict DB tool usage on endpoints using Endpoint Detection and Response (EDR) systems.
- Apply strict access controls to limit DB connections to specific IPs and users.
- Avoid storing credentials in plaintext files, such as Excel or text documents, to prevent theft.
Donate