Threat Actors Use Database Client Tools on Compromised Systems to Steal Sensitive Data

Investigators have observed a marked rise in threat actors leveraging legitimate database (DB) client tools such as DBeaver, Navicat, and Microsoft’s sqlcmd to steal sensitive data from compromised systems.

By manually installing these widely-used tools on breached environments, attackers disguise their activities as routine administrative tasks, making detection exceptionally difficult.

Tool Usage

Instead of relying on custom malware or bespoke data exfiltration scripts, adversaries now opt for trusted DB client utilities.

These tools, once installed, require the attacker to specify the exact database server address, port, and valid account credentials indicating that the perpetrator has already succeeded in compromising relevant authentication information prior to initiating exfiltration.

This stage typically follows extensive reconnaissance, lateral movement, and credential harvesting.

Security analysis based on simulated breaches using Microsoft SQL Server environments demonstrated that actors interact with high-value database resources through the graphical or command-line interfaces of DBeaver, Navicat, and sqlcmd.

Each tool supports a range of export formats (CSV, Excel, JSON), facilitating rapid offloading of large datasets.

Forensic Traces

The challenge in post-incident investigation lies in the subtlety of these attacks. Since tools like DBeaver and Navicat are legitimate and frequently used by authorized DBAs, their mere presence on a system seldom sets off security alarms.

Forensic analysts must scour specific log files for non-administrative or anomalous usage patterns.

For DBeaver, key evidence resides in the dbeaver-debug.log and .log files, found within the user’s AppData directory.

These debug logs record actions such as data export events, including filenames, timestamps, and the tool version.

Even if export logs are absent, connection histories can still reveal if a suspicious user accessed privileged databases.

Navicat presents a different logging approach. Export settings and histories may be stored in .nexptmssql (on Windows) or LogExport.txt (on Linux) files, though logs are not cumulative and can be easily overwritten.

Thus, unless logs are captured in real time, long-term activity tracking remains problematic.

With sqlcmd, being a built-in utility, attackers can leverage it as a Living off the Land Binary (LoLBin) to execute SQL queries and database backups, using either Windows authentication or SQL authentication modes.

The database backup activity is recorded within SQL Server’s error and trace logs, but routine SELECT queries used for data dumps may leave no trace on the SQL Server itself, complicating attribution.

Investigations have uncovered that attackers often gain initial system access via Remote Desktop Protocol (RDP) sessions or reverse tunneling.

Afterwards, the malicious deployment of these DB tools enables them to export user information and other critical data to local files, later exfiltrated through secondary channels.

Because conventional anti-malware solutions view these DB client tools as benign, detection demands a behavioral approach.

Organizations are advised to leverage Endpoint Detection and Response (EDR) platforms that monitor for unusual installations or execution patterns of administrative tools, especially on endpoints where such activity is rare or unauthorized.

Equally crucial is the proactive management of database credentials and access permissions.

Restricting administrative access to fixed IP ranges and enforcing the principle of least privilege severely limits an attacker’s lateral movement.

According to ASEC Report, regular audits of database logs and backup activities further enhance visibility.

Finally, security teams should discourage the insecure storage or transmission of DB credentials, such as in unencrypted files or emails, as these are often the first assets harvested by threat actors post-breach.

The trend of abusing legitimate DB client tools for data theft underscores the evolving sophistication of cyber threats.

As attackers continue to blend with normal IT operations, defenders must pivot to deeper behavioral monitoring, forensic analysis, and strict credential hygiene to maintain resilience.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.