Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0679: Analytic 0679

Database enumeration and export activity (e.g., `SELECT * FROM`, `SHOW DATABASES`) issued via ephemeral VMs, admin APIs, or cloud shell from non-monitoring accounts. Defender correlates audit logs (CloudTrail, GCP Admin, AzureDiagnostics), storage write ops, and cross-region transfers by identities not tied to DB operations.

EnterpriseAN0679AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic focuses on suspicious cloud database discovery and export behavior in IaaS environments, especially when it is performed from short-lived compute, cloud shell, admin APIs, or identities that are not normally responsible for database operations. For leaders, the value is not just catching a query pattern; it is validating whether cloud audit, identity, storage, and cross-region movement evidence can be connected quickly enough to determine whether sensitive data may have been enumerated or exported.

Executive priority

Prioritize this as a cloud data-risk and incident-readiness control. The business question is whether the organization can prove who accessed cloud databases, from where, through which cloud service path, and whether resulting data was written to storage or moved across regions. This matters for breach assessment, regulatory evidence, data governance, and containment decisions when database activity comes from non-standard identities or transient infrastructure.

Technical view

SOC and cloud detection teams should validate correlation across IaaS audit logs, database-related administrative activity, storage write operations, and cross-region transfer events. The supplied analytic specifically calls out activity such as database enumeration or broad export-like queries issued via ephemeral VMs, admin APIs, or cloud shell by accounts not tied to normal DB operations. Because no separate official detection logic is provided, teams should treat this as a detection design requirement: baseline legitimate database operators and monitoring accounts, identify non-monitoring identities performing enumeration/export activity, and correlate that activity with storage writes or regional data movement.

Likely telemetry

  • Cloud audit logs such as CloudTrail, GCP Admin, and AzureDiagnostics where available
  • Identity and account context for cloud principals, including whether they are expected to perform database operations
  • Database access or query audit evidence for enumeration and export-like activity
  • Cloud shell, admin API, and ephemeral VM activity records
  • Object or cloud storage write operation logs

Detection direction

  • Validate that audit logging is enabled and retained for cloud administrative actions, database access, storage writes, and cross-region transfers in IaaS environments.
  • Tune around identity context: distinguish known database operators, service accounts, and monitoring accounts from non-monitoring or unusual identities.
  • Correlate database enumeration/export indicators with subsequent storage writes or cross-region movement rather than relying on query text alone.
  • Watch for blind spots where ephemeral VMs, cloud shell sessions, or admin APIs are logged separately from database and storage telemetry.
  • Account for false positives from legitimate migrations, backups, reporting jobs, disaster recovery testing, and administrative inventory tasks; require change records or owner context where possible.

Mitigation priorities

  • Ensure cloud audit, database, storage, and transfer logs are enabled, centralized, time-synchronized, and retained for investigation.
  • Maintain clear ownership and approved-use mappings for identities allowed to perform database operations, exports, backups, and monitoring.
  • Apply least-privilege access so non-DB identities cannot enumerate or export database contents unless explicitly required.
  • Review controls around cloud shell, admin APIs, and short-lived compute access to sensitive databases.
  • Require documented approval and monitoring for legitimate database export, migration, backup, and cross-region transfer workflows.
Analyst notes and limits

This object is a detection analytic, not a technique description. Its most useful defensive value is in validating cloud telemetry correlation and identity baselining around database access and data movement. The relationship context supplied is empty, and no ATT&CK tactics are specified, so this take avoids mapping the behavior to broader adversary stages beyond the provided description.

The official detection field is not provided, and no relationships, mitigations, data components, or procedure examples were supplied. Local cloud architecture, logging configuration, database services, identity model, and approved operational workflows are required to convert this into production detection logic.

Official MITRE ATT&CK definition

Analytic 0679

Database enumeration and export activity (e.g., `SELECT * FROM`, `SHOW DATABASES`) issued via ephemeral VMs, admin APIs, or cloud shell from non-monitoring accounts. Defender correlates audit logs (CloudTrail, GCP Admin, AzureDiagnostics), storage write ops, and cross-region transfers by identities not tied to DB operations.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
284232eb2ba6b764...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 284232eb2ba6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0679
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use