Esc
Data Manipulation - T1565
(ATT&CK® Technique)
Definition
Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1565["Data Manipulation"] --> |may-modify| NetworkTraffic["Network Traffic"]; class T1565 OffensiveTechniqueNode;
class NetworkTraffic ArtifactNode; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic";
click T1565 href "/offensive-technique/attack/T1565/"; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic"; T1565["Data Manipulation"] --> |modifies| File["File"]; class T1565 OffensiveTechniqueNode;
class File ArtifactNode; click File href "/dao/artifact/d3f:File";
click T1565 href "/offensive-technique/attack/T1565/"; click File href "/dao/artifact/d3f:File"; T1565["Data Manipulation"] --> |may-modify| ExecutableFile["Executable File"]; class T1565 OffensiveTechniqueNode;
class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";
click T1565 href "/offensive-technique/attack/T1565/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; DecoyFile["Decoy File"] -->
| spoofs | File["File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1565["Data Manipulation"] ;
class DecoyFile DefensiveTechniqueNode;
class File ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableFile["Executable File"];
class DecoyFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1565["Data Manipulation"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1565["Data Manipulation"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | NetworkTraffic["Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1565["Data Manipulation"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | NetworkTraffic["Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1565["Data Manipulation"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | NetworkTraffic["Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1565["Data Manipulation"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | NetworkTraffic["Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1565["Data Manipulation"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1565["Data Manipulation"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1565["Data Manipulation"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; FileEncryption["File Encryption"] -->
| encrypts | File["File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1565["Data Manipulation"] ;
class FileEncryption DefensiveTechniqueNode;
class File ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableFile["Executable File"];
class FileEncryption DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1565["Data Manipulation"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1565["Data Manipulation"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1565["Data Manipulation"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; FileEviction["File Eviction"] -->
| deletes | ExecutableFile["Executable File"];
FileEviction["File Eviction"] -.->
| may-evict | T1565["Data Manipulation"] ;
class FileEviction DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | File["File"];
class FileEviction DefensiveTechniqueNode;
class File ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | File["File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1565["Data Manipulation"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class File ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableFile["Executable File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | NetworkTraffic["Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1565["Data Manipulation"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; LocalFilePermissions["Local File Permissions"] -->
| restricts | File["File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1565["Data Manipulation"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class File ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableFile["Executable File"];
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | File["File"];
RestoreFile["Restore File"] -.->
| may-restore | T1565["Data Manipulation"] ;
class RestoreFile DefensiveTechniqueNode;
class File ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | ExecutableFile["Executable File"];
class RestoreFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1565["Data Manipulation"] ;
class FileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | File["File"];
class FileAnalysis DefensiveTechniqueNode;
class File ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | File["File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1565["Data Manipulation"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class File ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableFile["Executable File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";