Esc
Runtime Data Manipulation - T1565.003

(ATT&CK® Technique)
Definition

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data. By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1565003["Runtime Data Manipulation"] --> |may-modify| ExecutableFile["Executable File"]; class T1565003 OffensiveTechniqueNode;
        class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";
        click T1565003 href "/offensive-technique/attack/T1565.003/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";             EmulatedFileAnalysis["Emulated File Analysis"] -->
          | analyzes | ExecutableFile["Executable File"];

          EmulatedFileAnalysis["Emulated File Analysis"] -.->
            | may-detect | T1565003["Runtime Data Manipulation"] ;
          class EmulatedFileAnalysis DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
          | analyzes | ExecutableFile["Executable File"];

          DynamicAnalysis["Dynamic Analysis"] -.->
            | may-detect | T1565003["Runtime Data Manipulation"] ;
          class DynamicAnalysis DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click DynamicAnalysis href "/technique/d3f:DynamicAnalysis";                           FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | ExecutableFile["Executable File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1565003["Runtime Data Manipulation"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
          | deletes | ExecutableFile["Executable File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1565003["Runtime Data Manipulation"] ;
          class FileEviction DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";                           DecoyFile["Decoy File"] -->
          | spoofs | ExecutableFile["Executable File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1565003["Runtime Data Manipulation"] ;
          class DecoyFile DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";              ExecutableDenylisting["Executable Denylisting"] -->
          | blocks | ExecutableFile["Executable File"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | may-isolate | T1565003["Runtime Data Manipulation"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
          | blocks | ExecutableFile["Executable File"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | may-isolate | T1565003["Runtime Data Manipulation"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting";                           FileEncryption["File Encryption"] -->
          | encrypts | ExecutableFile["Executable File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1565003["Runtime Data Manipulation"] ;
          class FileEncryption DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";              RestoreFile["Restore File"] -->
          | restores | ExecutableFile["Executable File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1565003["Runtime Data Manipulation"] ;
          class RestoreFile DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";              RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | ExecutableFile["Executable File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1565003["Runtime Data Manipulation"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";        LocalFilePermissions["Local File Permissions"] -->
          | restricts | ExecutableFile["Executable File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1565003["Runtime Data Manipulation"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";              FileAnalysis["File Analysis"] -->
          | analyzes | ExecutableFile["Executable File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1565003["Runtime Data Manipulation"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";
json