Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0677: Analytic 0677

Database client execution (e.g., sqlcmd.exe, isql.exe) by users or from locations not tied to enterprise automation or backups. Often followed by creation of .sql/.bak/.csv files, registry artifacts for ODBC/JDBC drivers, or encrypted ZIPs. Defender sees SQL tools launched by explorer.exe, Powershell, or odd parent processes, plus file writes in user temp locations.

EnterpriseAN0677AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because unexpected database client use on Windows can be an early sign that sensitive business data is being queried, staged, exported, or prepared for transfer outside normal administrative workflows. For leaders, the key question is not only whether tools such as sqlcmd.exe or isql.exe exist, but whether the organization can distinguish approved database automation and backup activity from interactive or unusual execution by users, PowerShell, Explorer, or other odd parent processes.

Executive priority

Prioritize this as a data-access and operational resilience validation item. Database client execution from non-standard users or locations can affect incident scoping, evidence for compliance, and decisions about whether sensitive records may have been accessed or staged. Security leaders should ask whether approved database administration, automation, and backup paths are documented well enough for the SOC to identify deviations without creating excessive false positives.

Technical view

For Windows environments, validate monitoring for database client process execution, parent-child process relationships, execution path, user context, and follow-on file creation. The supplied analytic highlights sqlcmd.exe and isql.exe, especially when launched by explorer.exe, PowerShell, or unusual parent processes. Detection engineering should baseline known enterprise automation and backup activity, then alert on database tools executed by unexpected users, from user-controlled paths, or followed by creation of .sql, .bak, .csv, encrypted ZIP files, or related ODBC/JDBC registry artifacts.

Likely telemetry

  • Windows process creation events including command line, parent process, user, and executable path
  • File creation/write telemetry for .sql, .bak, .csv, ZIP, and user temporary directories
  • Registry telemetry related to ODBC/JDBC driver artifacts where available
  • Endpoint detection and response telemetry for process lineage and file activity
  • Known-good inventory of database automation, backup jobs, service accounts, and administrative tool locations

Detection direction

  • Build allowlists from documented database administration, automation, and backup workflows before broadly alerting on database client binaries.
  • Tune for unusual parent processes such as explorer.exe, PowerShell, or other non-standard launch chains, as described in the analytic.
  • Correlate process execution with nearby file writes in user temp locations or creation of database export/archive file types.
  • Review user context: interactive user execution may deserve different triage than known service account automation.
  • Expect false positives from legitimate DBA work, troubleshooting, reporting, and backup operations unless business-approved workflows are well documented.

Mitigation priorities

  • Document approved database client usage, including users, service accounts, hosts, execution paths, and scheduled automation.
  • Restrict database client availability and execution rights to roles and systems with a business need.
  • Harden and monitor locations where users can stage exported data, especially temporary directories.
  • Ensure database backup and export workflows are logged, owned, and distinguishable from ad hoc interactive activity.
  • Use incident response playbooks that connect endpoint evidence to database access review when unusual client execution is observed.
Analyst notes and limits

No ATT&CK tactic or relationship context was supplied for this analytic, so this take focuses on the official description and Windows platform scope. The highest-value defensive work is separating expected enterprise database operations from anomalous interactive execution and data staging patterns.

Official detection content was not provided, and no related techniques, mitigations, groups, campaigns, or software relationships were supplied. Local baselines, approved automation records, and endpoint logging quality are required to determine practical coverage and severity.

Official MITRE ATT&CK definition

Analytic 0677

Database client execution (e.g., sqlcmd.exe, isql.exe) by users or from locations not tied to enterprise automation or backups. Often followed by creation of .sql/.bak/.csv files, registry artifacts for ODBC/JDBC drivers, or encrypted ZIPs. Defender sees SQL tools launched by explorer.exe, Powershell, or odd parent processes, plus file writes in user temp locations.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9101319459fe08fa...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9101319459fe…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0677
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use