What starting position does this attack require?

The first step is mongodump every database (T1041) — a exfiltration primitive. Assumed environment: target operator left MongoDB exposed to the internet without authentication (defaults pre-3.

What is the final impact of this kill-chain?

The final step lands on mongosh --host → connects unauth (DB-MONGO-NOAUTH), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

Open MongoDB → dump every collection

Shodan-indexed MongoDB on 27017 with no auth. Connect, list databases, dump every collection. Often the second stage is a ransom note in a new 'README' collection.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Exfiltration

mongodump every database

T1041 · Exfiltration Over C2 Channel

Impact

Drop README collection with ransom note

T1486 · Data Encrypted for Impact

Discovery

show dbs / show collections

T1087 · Account Discovery

Reconnaissance

Shodan: port:27017 mongodb

W-RECON-API-DISCO · API Endpoint Discovery

Initial Access

mongosh --host <ip> → connects unauth

DB-MONGO-NOAUTH · MongoDB / DocumentDB No-Auth Open

§ Context

Assumed environment: target operator left MongoDB exposed to the internet without authentication (defaults pre-3.6 + persistent misconfig in self-hosted deployments).

§ Steps

01
mongodump every databaseExfiltration
T1041— Exfiltration Over C2 Channel
02
Drop README collection with ransom noteImpact
T1486— Data Encrypted for Impact
03
show dbs / show collectionsDiscovery
T1087— Account Discovery
04
Shodan: port:27017 mongodbReconnaissance
W-RECON-API-DISCO— API Endpoint Discovery
05
mongosh --host <ip> → connects unauthInitial Access
DB-MONGO-NOAUTH— MongoDB / DocumentDB No-Auth Open

§ References

§ Frequently asked

What is the "Open MongoDB → dump every collection" attack path?: Shodan-indexed MongoDB on 27017 with no auth. Connect, list databases, dump every collection. Often the second stage is a ransom note in a new 'README' collection. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is mongodump every database (T1041) — a exfiltration primitive. Assumed environment: target operator left MongoDB exposed to the internet without authentication (defaults pre-3.
What is the final impact of this kill-chain?: The final step lands on mongosh --host <ip> → connects unauth (DB-MONGO-NOAUTH), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Open MongoDB → dump every collection

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)

Unauth DICOM PACS → mass medical-image exfil

MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)

BACnet HVAC → disrupt building operations

ESXiArgs — OpenSLP unauth RCE → ransomware

Reachable Modbus PLC → direct register override