Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0242: Suspicious Database Access and Dump Activity Across Environments (T1213.006)

DET0242 is a MITRE detection strategy for suspicious database access and dump activity related to ATT&CK technique T1213.006, Databases. The business issue...

EnterpriseDET0242Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0242 is a MITRE detection strategy for suspicious database access and dump activity related to ATT&CK technique T1213.006, Databases. The business issue is straightforward: databases often concentrate high-value information, including usernames and hashed passwords, across on-premises and cloud-hosted environments. For leaders, this behavior matters because unusual database collection activity can indicate risk to confidentiality, incident scope, regulatory evidence, and operational trust in core systems.

Executive priority

Prioritize this as a resilience and governance question: do security, cloud, database, and identity teams have enough evidence to explain who accessed key databases, from where, under what privilege, and whether bulk extraction occurred? Because the related ATT&CK technique spans IaaS, SaaS, Linux, and macOS contexts, ownership may be split across platform, application, and cloud teams. Executives should ensure database monitoring, privileged access review, and incident response playbooks cover both self-managed and managed database services.

Technical view

The supplied MITRE object does not include official detection logic, but its relationship to T1213.006 anchors the validation scope: suspicious access to and dumping from databases used for collection. SOC and IR teams should validate visibility across database authentication, query activity, export or dump operations, administrative tooling, cloud database service logs, and host-level process/file activity where databases are self-managed. Detection engineering should separate expected backup, replication, migration, analytics, and DBA workflows from unusual access patterns, new principals, abnormal source locations, elevated privileges, or large-volume extraction behavior.

Likely telemetry

  • Database audit logs for authentication, authorization failures, queries, schema access, exports, and dump-related events
  • Cloud control-plane and data-plane logs for managed database services in IaaS or SaaS environments
  • Identity and access management logs for users, service accounts, roles, privilege changes, and session context
  • Host telemetry from Linux or macOS systems running database clients, administrative tools, or self-managed database services
  • File creation and storage telemetry for database dump files, exports, backups, or staged archives

Detection direction

  • Inventory where important databases exist, including on-premises, IaaS-hosted, platform-managed, and SaaS-hosted sources referenced by the related technique.
  • Tune for deviations from normal database access patterns rather than simple access alone, since legitimate administrators, backups, replication, and analytics can create similar signals.
  • Correlate database events with identity context, privilege changes, source system, time of day, volume of records or bytes, and creation of dump/export artifacts.
  • Validate whether logs are retained and searchable for cloud database examples in scope, such as Amazon Relational Database Service, Azure SQL Database, Google Firebase, Snowflake, and common engines such as MySQL, PostgreSQL, and MongoDB, where applicable to the environment.
  • Look for blind spots where database activity is only visible to application teams or cloud administrators and is not forwarded to the SOC.

Mitigation priorities

  • Establish ownership and logging requirements for critical databases before tuning alerts; unmanaged visibility gaps will limit detection value.
  • Apply least-privilege access to database users, service accounts, and cloud roles, especially accounts capable of bulk read, export, backup, or administrative actions.
  • Require approved workflows and auditable change records for backups, migrations, replication, and large exports so defenders can suppress known-good activity confidently.
  • Centralize database, cloud, identity, host, and network evidence into SOC and IR workflows with retention aligned to investigation and compliance needs.
  • Review high-value database access during incident response and access governance activities, including dormant accounts, excessive privileges, and unusual service account use.
Analyst notes and limits

MITRE provides the detection strategy name and relationship to T1213.006, but no official description or detection text for DET0242 in the supplied fields. The strongest supported interpretation is that defenders should monitor for suspicious access and dump activity involving databases used as collection targets. Local database architecture, approved administrative processes, and cloud service configuration will determine what telemetry is available and what constitutes suspicious behavior.

This take is constrained by sparse official fields: no platforms, tactics, description, or detection text are specified on the detection-strategy object itself. Platforms and tactic context come only from the related T1213.006 Databases technique. No active exploitation, actor attribution, impact level, or guaranteed detection coverage is implied.

Official MITRE ATT&CK definition

Suspicious Database Access and Dump Activity Across Environments (T1213.006)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1213.006 Databases Sub-technique This object detects Databases.
Relationship explorer

All related ATT&CK context

detects · Technique T1213.006: Databases Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
819661ca1c1213e3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 819661ca1c12…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0242
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use