AN0678: Analytic 0678
Execution of Java-based or CLI database tools (e.g., DBeaver, Beekeeper, mysql, psql) from user profiles not tied to dev/admin roles, especially when followed by file writes and cloud sync activity. Defender correlates GUI tool launches, file write events in ~/Downloads or ~/Documents, and outbound API calls to known cloud services.
Analyst context for executives and security teams
This analytic matters because database client activity from a macOS user profile that is not expected to perform development or administration can signal potential access to, staging of, or movement of sensitive data. The business decision value is not just “was DBeaver or psql launched,” but whether the organization can distinguish approved database work from unusual data handling followed by file creation and cloud sync behavior.
Executive priority
Prioritize this where macOS users have access to business-critical databases, regulated data, or cloud storage services. Leaders should ask whether role expectations, endpoint telemetry, and cloud activity logs are good enough to prove that database access and subsequent file movement were authorized. This supports incident triage, insider-risk review, compliance evidence, and decisions about tightening access for users who do not need database tooling.
Technical view
For macOS, validate whether SOC workflows can correlate three evidence points from the ATT&CK description: execution of Java-based or CLI database tools such as DBeaver, Beekeeper, mysql, or psql; file writes in user locations such as ~/Downloads or ~/Documents; and outbound API calls or sync activity to known cloud services. Because no ATT&CK detection logic is supplied, teams should treat this as a detection design requirement rather than a ready-to-run rule. Baseline expected developer and administrator profiles first, then alert on similar activity from users or profiles not tied to those roles.
Likely telemetry
- macOS process execution telemetry for GUI and CLI database tools
- User/account and role context to distinguish developer or administrator profiles from other users
- File creation or modification events under ~/Downloads and ~/Documents
- Network or proxy telemetry showing outbound API calls to known cloud services
- Cloud sync or cloud service activity logs where available
Detection direction
- Build correlation around sequence and context: database tool launch, local file writes, then cloud service communication.
- Tune against approved developer, database administrator, and support workflows to reduce false positives.
- Watch for GUI database clients as well as CLI utilities; coverage limited to CLI process monitoring may miss part of the behavior described.
- Validate whether user role data is current enough to identify profiles not tied to dev/admin duties.
- Review cloud-service allowlists carefully; generic outbound network visibility may not identify API or sync behavior with enough precision.
Mitigation priorities
- Confirm least-privilege access to databases and cloud sync destinations for macOS users.
- Restrict or govern installation and execution of database tools where they are not required for the user’s role.
- Maintain role-based baselines for developer and administrator activity so exceptions are defensible during investigations.
- Ensure endpoint, file, and cloud telemetry retention is sufficient to reconstruct database-tool-to-file-to-cloud sequences.
- Use incident response playbooks that check authorization, data sensitivity, file destinations, and cloud upload context before escalation.
Analyst notes and limits
The supplied object is a detection analytic, AN0678, for enterprise ATT&CK on macOS. It has no tactic assignment, no relationships, and no official detection text beyond the descriptive analytic statement. The strongest use is as a correlation and validation pattern for managed detection, IR triage, and control assessment around unusual database tooling and cloud sync behavior.
This take is limited to the official fields provided. It does not establish adversary attribution, active exploitation, impact, or guaranteed detection coverage. Local user roles, approved tooling, database access paths, cloud services, and telemetry quality are required to determine whether the behavior is suspicious in a specific environment.
Analytic 0678
Execution of Java-based or CLI database tools (e.g., DBeaver, Beekeeper, mysql, psql) from user profiles not tied to dev/admin roles, especially when followed by file writes and cloud sync activity. Defender correlates GUI tool launches, file write events in ~/Downloads or ~/Documents, and outbound API calls to known cloud services.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 450862c7bde3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0678Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.