Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0676: Analytic 0676

Unusual database command-line access (e.g., `psql`, `mysql`, `mongo`) from non-admin users, occurring outside typical automation windows or without known service context. Often followed by data dumps to .sql/.csv files or outbound data transfers. Defender sees CLI tools launched interactively or by unusual parent processes, file writes to dump-like filenames, and external connections shortly after.

EnterpriseAN0676AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because interactive database command-line use from unexpected Linux users can be an early sign that sensitive data is being queried, staged, or prepared for export outside normal administrative or automation workflows. For leaders, the decision value is whether the organization can distinguish legitimate DBA or service activity from unusual access that may precede data loss.

Executive priority

Prioritize this as a data-protection and incident-readiness validation point for Linux-hosted database environments. Executives and risk owners should ask whether database administration paths are documented, whether non-admin access is governed, whether after-hours or non-service-context database access is reviewed, and whether SOC teams can correlate command execution, dump-file creation, and outbound network activity quickly enough to support containment decisions and compliance evidence.

Technical view

Validate monitoring for Linux process execution involving database CLI tools such as psql, mysql, or mongo when launched by non-admin users, at unusual times, or from unusual parent processes. Since the ATT&CK object provides no formal detection logic or tactic mapping, teams should build environment-specific baselines for approved DBA activity, automation windows, service accounts, expected parent processes, and known maintenance jobs. IR playbooks should include review of nearby file writes to dump-like names such as .sql or .csv and external connections shortly after the CLI activity.

Likely telemetry

  • Linux process creation telemetry with command line, user, parent process, and timestamp
  • Authentication and session context for local or remote Linux users
  • Database client execution history for psql, mysql, mongo, or equivalent CLI tools present in the environment
  • File creation or modification telemetry for potential dump outputs such as .sql and .csv files
  • Network connection telemetry showing outbound activity shortly after database CLI execution

Detection direction

  • Baseline normal database CLI use by host, user, parent process, and time window before alerting aggressively.
  • Prioritize alerts where database CLI tools are run interactively by non-admin users or by unusual parent processes.
  • Correlate command-line access with subsequent dump-like file writes and outbound network connections to reduce noise and increase triage value.
  • Tune for legitimate DBA tasks, backups, ETL jobs, monitoring scripts, and scheduled maintenance to avoid false positives.
  • Identify blind spots where Linux endpoint process telemetry, file-write auditing, or network egress logs are missing from database servers.

Mitigation priorities

  • Define and enforce approved administrative and automation paths for database command-line access.
  • Restrict database CLI access and database permissions to authorized administrators, service accounts, and documented operational workflows.
  • Review non-admin user privileges on Linux database hosts and remove unnecessary local access where possible.
  • Maintain logging for process execution, file writes, authentication context, and outbound network activity on Linux database systems.
  • Use change-management and maintenance-window records so SOC teams can distinguish expected automation from suspicious interactive activity.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Linux focused on unusual database command-line access and possible follow-on dump-file creation or outbound transfers. No relationships, tactic mapping, or official detection logic were supplied, so this take emphasizes validation questions and telemetry requirements rather than a specific detection rule.

Assessment is limited to the official STIX fields, description, external reference, and absence of relationship context. Local baselines, account roles, database inventory, maintenance schedules, and logging coverage are required to determine whether this behavior is suspicious in a specific environment.

Official MITRE ATT&CK definition

Analytic 0676

Unusual database command-line access (e.g., `psql`, `mysql`, `mongo`) from non-admin users, occurring outside typical automation windows or without known service context. Often followed by data dumps to .sql/.csv files or outbound data transfers. Defender sees CLI tools launched interactively or by unusual parent processes, file writes to dump-like filenames, and external connections shortly after.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f9fa64733b845ecb...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f9fa64733b84…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0676
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use