T1565

Data Manipulation

Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, threatening the integrity of the data. This technique encompasses three sub-techniques: Stored Data Manipulation (T1565.001), where adversaries directly alter files, databases, configuration data, or audit logs at rest; Transmitted Data Manipulation (T1565.002), where data is modified during transit via network interception or proxy manipulation; and Runtime Data Manipulation (T1565.003), where in-memory data structures or process state are altered during execution. Real-world examples include FIN13 (Elephant Beetle) injecting fraudulent financial transactions into compromised payment networks to incrementally siphon funds while mimicking legitimate processing behavior. Successful data manipulation campaigns often require prolonged access, domain-specific knowledge of the target system, and specialized tooling. The impact ranges from corrupted financial records and falsified audit trails to undermined operational decision-making and destroyed forensic evidence.

Microsoft Sentinel / Defender

kusto

// T1565 — Data Manipulation
// Four-branch detection: audit log clearing, database file tampering,
// bulk file modification bursts, critical path tampering by unexpected processes
let ScriptingEngines = dynamic([
    "powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "python.exe", "python3.exe", "perl.exe",
    "php.exe", "node.exe", "ruby.exe", "bash", "sh"
]);
let DatabaseExtensions = dynamic(["mdf", "ldf", "db", "sqlite", "accdb", "mdb", "sql", "bak", "dbf", "frm"]);
let CriticalLogPaths = dynamic([
    "\\windows\\system32\\winevt\\logs",
    "\\inetpub\\logs",
    "\\program files\\microsoft sql server",
    "\\windows\\system32\\config"
]);
let LegitFileActors = dynamic([
    "svchost.exe", "wininit.exe", "lsass.exe", "services.exe",
    "csrss.exe", "MsMpEng.exe", "sqlservr.exe", "sqlagent.exe",
    "taskhostw.exe", "TrustedInstaller.exe", "TiWorker.exe"
]);
// Branch 1: Windows Security/System Audit Log Cleared (Event ID 1102 = Security, 104 = System)
let AuditLogCleared = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (1102, 104)
| project Timestamp=TimeGenerated, DeviceName=Computer,
          AccountName=strcat(SubjectDomainName, "\\", SubjectUserName),
          ProcessName="wevtutil.exe / Windows Event Log",
          CommandLine="N/A",
          FilePath=iff(EventID == 1102, "Windows Security Event Log", "Windows System Event Log"),
          Alert="AuditLogCleared",
          AlertSeverity="Critical";
// Branch 2: Database file modified or created by scripting interpreter
let DatabaseTampering = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileModified", "FileCreated", "FileRenamed")
| extend FileExt = tolower(tostring(split(FileName, ".")[-1]))
| where FileExt in (DatabaseExtensions)
| where InitiatingProcessFileName has_any (ScriptingEngines)
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
          ProcessName=InitiatingProcessFileName,
          CommandLine=InitiatingProcessCommandLine,
          FilePath=strcat(FolderPath, "\\", FileName),
          Alert="DatabaseFileTampering",
          AlertSeverity="High";
// Branch 3: Bulk file modification burst — single process modifies 80+ files across 3+ folders in 5 min
let BulkModification = DeviceFileEvents
| where Timestamp > ago(2h)
| where ActionType in ("FileModified", "FileCreated", "FileRenamed", "FileDeleted")
| summarize FileCount=count(),
            FolderCount=dcount(FolderPath),
            SampleFiles=make_set(FileName, 5),
            CommandLine=any(InitiatingProcessCommandLine)
    by DeviceName,
       InitiatingProcessFileName,
       InitiatingProcessAccountName,
       TimeBin=bin(Timestamp, 5m)
| where FileCount > 80 and FolderCount >= 3
| project Timestamp=TimeBin, DeviceName,
          AccountName=InitiatingProcessAccountName,
          ProcessName=InitiatingProcessFileName,
          CommandLine,
          FilePath=strcat("BulkOp (", tostring(FileCount), " files): ", tostring(SampleFiles)),
          Alert="BulkFileModification",
          AlertSeverity="Medium";
// Branch 4: Critical system/log path file modification by unexpected process
let CriticalPathTampering = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileModified", "FileDeleted", "FileRenamed")
| where FolderPath has_any (CriticalLogPaths)
| where InitiatingProcessFileName !in~ (LegitFileActors)
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
          ProcessName=InitiatingProcessFileName,
          CommandLine=InitiatingProcessCommandLine,
          FilePath=strcat(FolderPath, "\\", FileName),
          Alert="CriticalPathTampering",
          AlertSeverity="High";
// Union all branches into single alert stream
union AuditLogCleared, DatabaseTampering, BulkModification, CriticalPathTampering
| project Timestamp, DeviceName, AccountName, ProcessName, CommandLine,
          Alert, AlertSeverity, FilePath
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Modification File: File Creation File: File Deletion Windows: Security Event Log Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents SecurityEvent

False Positives

Backup software (Veeam, Commvault, Windows Server Backup, rsync) performing legitimate bulk file copies, database snapshots, or .bak file creation during scheduled backup windows
Database maintenance jobs — SQL Server maintenance plans, DBCC CHECKDB, SQLite VACUUM, or MySQL/PostgreSQL dump operations — that routinely create and modify .mdf, .ldf, .db, or .bak files
Software deployment and patch management systems (SCCM, Intune, Ansible, Chef) using PowerShell or cmd.exe to update configuration files, application databases, or perform bulk file operations during maintenance windows
Log aggregation and SIEM forwarding agents that archive, compress, or clear old Windows event logs as part of scheduled log rotation or log shipping workflows
CI/CD pipeline agents executing database schema migrations, bulk data seeding, or file generation steps via scripting engines during deployment runs

Splunk

spl

index=wineventlog
    ((sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11)
    OR (sourcetype="WinEventLog:Security" (EventCode=1102 OR EventCode=104)))
| eval TargetFile=coalesce(TargetFilename, "Windows Event Log")
| eval FileExt=lower(mvindex(split(TargetFile, "."), -1))
| eval IsDbFile=if(match(FileExt,"^(mdf|ldf|db|sqlite|accdb|mdb|sql|bak|dbf|frm)$"), 1, 0)
| eval IsCriticalPath=if(match(lower(TargetFile),
    "(\\\\windows\\\\system32\\\\winevt\\\\logs|\\\\inetpub\\\\logs|\\\\program files\\\\microsoft sql server|\\\\windows\\\\system32\\\\config)"), 1, 0)
| eval IsScriptingEngine=if(match(lower(coalesce(Image, "")),
    "(powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python[23]?\.exe|perl\.exe|bash$|sh$|node\.exe|php\.exe|ruby\.exe|cmd\.exe)"), 1, 0)
| eval IsLegitProcess=if(match(lower(coalesce(Image, "")),
    "(svchost\.exe|wininit\.exe|lsass\.exe|services\.exe|sqlservr\.exe|sqlagent\.exe|msmpeng\.exe|csrss\.exe|trustedinstaller\.exe|tiworker\.exe)"), 1, 0)
| eval AlertType=case(
    EventCode=1102 OR EventCode=104, "AuditLogCleared",
    IsDbFile=1 AND IsScriptingEngine=1, "DatabaseFileTampering",
    IsCriticalPath=1 AND IsLegitProcess=0, "CriticalPathTampering",
    1=1, null()
  )
| where isnotnull(AlertType)
| eval AlertSeverity=case(
    AlertType="AuditLogCleared", "Critical",
    AlertType="DatabaseFileTampering" OR AlertType="CriticalPathTampering", "High",
    1=1, "Medium"
  )
| eval AccountName=coalesce(User, SubjectUserName, "unknown")
| eval ProcessImage=coalesce(Image, "Windows Event Log Service")
| table _time, host, AccountName, ProcessImage, CommandLine, AlertType, AlertSeverity, TargetFile
| sort - _time
| appendcols
    [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 earliest=-2h latest=now
    | stats count as FileCount, dc(TargetFilename) as UniqueFolders,
             values(eval(mvindex(split(TargetFilename,"\\"), -1))) as SampleFiles,
             values(CommandLine) as CommandLines
             by host, User, Image, span(_time, 5m)
    | where FileCount > 80 AND UniqueFolders >= 3
    | eval AlertType="BulkFileModification", AlertSeverity="Medium"
    | eval AccountName=User, ProcessImage=Image
    | eval TargetFile=mvjoin(mvindex(SampleFiles, 0, 4), ", ")
    | table _time, host, AccountName, ProcessImage, CommandLines, AlertType, AlertSeverity, TargetFile]

high severity medium confidence

Data Sources

File: File Creation File: File Modification Windows: Security Event Log Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Backup software performing legitimate bulk file operations or database snapshot creation during scheduled backup windows — filter by known backup service accounts and parent processes (e.g., VeeamAgent.exe, BackupExec.exe)
Database maintenance scripts (SQL Server maintenance plans, VACUUM in SQLite) that legitimately create and overwrite .bak, .mdf, or .db files — allowlist known DBA service accounts and maintenance job paths
SCCM or Intune deployment scripts executing via cmd.exe or PowerShell to update application databases or bulk-copy configuration files — filter by SCCM agent parent process (CcmExec.exe)
Automated log archiving tools or SIEM agents clearing forwarded Windows event logs after successful shipping to prevent disk exhaustion
Developer workstations running database migration frameworks (Flyway, Liquibase, EF Core) via Python or Node that legitimately write .db or .sql files during development

Elastic Security (EQL)

eql

// Branch 1: Audit log cleared (Sysmon EventID 1102 / System 104 equivalent via Windows Security)
sequence by host.name
[
  any where event.code in ("1102", "104") and
  event.provider in ("Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing")
]

// Branch 2: Database file tampered by scripting engine
file where event.type in ("creation", "change") and
  file.extension in ("mdf", "ldf", "db", "sqlite", "accdb", "mdb", "sql", "bak", "dbf", "frm") and
  process.name in~ (
    "powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "python.exe", "python3.exe", "perl.exe",
    "php.exe", "node.exe", "ruby.exe", "bash", "sh"
  )

// Branch 3: Critical path tampering by non-whitelisted process
file where event.type in ("change", "deletion") and
  (
    file.path like~ "*\\windows\\system32\\winevt\\logs*" or
    file.path like~ "*\\inetpub\\logs*" or
    file.path like~ "*\\program files\\microsoft sql server*" or
    file.path like~ "*\\windows\\system32\\config*"
  ) and
  process.name not in~ (
    "svchost.exe", "wininit.exe", "lsass.exe", "services.exe",
    "csrss.exe", "MsMpEng.exe", "sqlservr.exe", "sqlagent.exe",
    "taskhostw.exe", "TrustedInstaller.exe", "TiWorker.exe"
  )

high severity high confidence

Data Sources

Windows Security Event Log Sysmon (Event ID 11 File Create, Event ID 1 Process Create) Elastic Endpoint Security (file events) Windows System Event Log

Required Tables

logs-endpoint.events.file-* logs-windows.sysmon_operational-* logs-system.security-* winlogbeat-*

False Positives

Database administrators performing legitimate maintenance, backups, or schema migrations using scripting tools like PowerShell or Python DBAs scripts
Software deployment tools (SCCM, Ansible, Chef) performing bulk file modifications across multiple directories during patch cycles
Antivirus or EDR solutions scanning and updating critical path files during definition updates, triggering critical path modification alerts
Log rotation utilities that legitimately clear or archive Windows event logs on a scheduled basis
Development and CI/CD pipelines that modify database files or large numbers of files during build or test phases

IBM QRadar (AQL)

sql

// Branch 1: Audit Log Cleared
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username AS AccountName,
  sourceip AS SourceIP,
  QIDNAME(qid) AS EventName,
  'AuditLogCleared' AS AlertType,
  'Critical' AS AlertSeverity,
  'Windows Security/System Event Log' AS TargetFile
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13)
  AND (eventid = 1102 OR eventid = 104)
  AND DATEFORMAT(starttime, 'yyyy-MM-dd') = DATEFORMAT(NOW(), 'yyyy-MM-dd')

UNION ALL

// Branch 2: Database File Tampering by Scripting Engine
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username AS AccountName,
  sourceip AS SourceIP,
  'DatabaseFileTampering' AS EventName,
  'DatabaseFileTampering' AS AlertType,
  'High' AS AlertSeverity,
  CONCAT('File modified: ', UTF8(payload)) AS TargetFile
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND eventid = 11
  AND (
    LOWER(UTF8(payload)) MATCHES '.*\.(mdf|ldf|db|sqlite|accdb|mdb|sql|bak|dbf|frm).*'
  )
  AND (
    LOWER(UTF8(payload)) MATCHES '.*(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python[23]?\.exe|perl\.exe|php\.exe|node\.exe|ruby\.exe|bash|sh).*'
  )
  AND DATEFORMAT(starttime, 'yyyy-MM-dd') = DATEFORMAT(NOW(), 'yyyy-MM-dd')

UNION ALL

// Branch 3: Critical Path Tampering
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username AS AccountName,
  sourceip AS SourceIP,
  'CriticalPathTampering' AS EventName,
  'CriticalPathTampering' AS AlertType,
  'High' AS AlertSeverity,
  UTF8(payload) AS TargetFile
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND eventid = 11
  AND (
    LOWER(UTF8(payload)) MATCHES '.*(\\windows\\system32\\winevt\\logs|\\inetpub\\logs|\\program files\\microsoft sql server|\\windows\\system32\\config).*'
  )
  AND NOT (
    LOWER(UTF8(payload)) MATCHES '.*(svchost\.exe|wininit\.exe|lsass\.exe|services\.exe|sqlservr\.exe|sqlagent\.exe|msmpeng\.exe|csrss\.exe|trustedinstaller\.exe|tiworker\.exe).*'
  )
  AND DATEFORMAT(starttime, 'yyyy-MM-dd') = DATEFORMAT(NOW(), 'yyyy-MM-dd')

ORDER BY EventTime DESC

high severity medium confidence

Data Sources

Windows Security Event Log (LOGSOURCETYPEID 12) Windows System Event Log (LOGSOURCETYPEID 13) Sysmon Operational Log (Event ID 11 File Create) IBM QRadar Windows DSM

Required Tables

events

False Positives

Legitimate database backup software (SQL Server Agent, third-party backup tools) that uses scripting wrappers to initiate backup operations modifying .bak or .mdf files
System administrators using PowerShell scripts to perform authorized log maintenance, archiving, or clearing in compliance with retention policies
Software update mechanisms for SQL Server or IIS that modify files within critical path directories during patch application
Security tools performing authorized file integrity monitoring that write checksums or metadata to monitored directories

Sumo Logic CSE

sql

// Branch 1: Audit Log Cleared
(_sourceCategory=windows/security OR _sourceCategory=windows/system)
| parse "EventCode=*" as EventCode nodrop
| where EventCode in ("1102", "104")
| eval AlertType = "AuditLogCleared", AlertSeverity = "Critical"
| eval TargetFile = if(EventCode == "1102", "Windows Security Event Log", "Windows System Event Log")
| fields _messageTime, _sourceHost, EventCode, AlertType, AlertSeverity, TargetFile

// Branch 2: Database File Tampering by Scripting Engine
// Run separately in Sumo Logic
_sourceCategory=windows/sysmon
| parse "EventCode=*" as EventCode nodrop
| where EventCode == "11"
| parse "TargetFilename=*\n" as TargetFilename nodrop
| parse "Image=*\n" as Image nodrop
| eval FileExt = toLower(replace(TargetFilename, /^.*\.([^.]+)$/, "$1"))
| where FileExt in ("mdf", "ldf", "db", "sqlite", "accdb", "mdb", "sql", "bak", "dbf", "frm")
| where matches(toLower(Image), "(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python[23]?\.exe|perl\.exe|php\.exe|node\.exe|ruby\.exe|bash|sh)")
| eval AlertType = "DatabaseFileTampering", AlertSeverity = "High"
| fields _messageTime, _sourceHost, Image, TargetFilename, AlertType, AlertSeverity

// Branch 3: Bulk File Modification Burst
// Run separately in Sumo Logic
_sourceCategory=windows/sysmon EventCode=11
| parse "Image=*\n" as Image nodrop
| parse "TargetFilename=*\n" as TargetFilename nodrop
| parse "User=*\n" as User nodrop
| timeslice 5m
| count as FileCount, pct_distinct(TargetFilename, 100) as FolderApprox by _timeslice, _sourceHost, Image, User
| where FileCount > 80
| eval AlertType = "BulkFileModification", AlertSeverity = "Medium"
| fields _timeslice, _sourceHost, User, Image, FileCount, AlertType, AlertSeverity

// Branch 4: Critical Path Tampering
// Run separately in Sumo Logic
_sourceCategory=windows/sysmon EventCode=11
| parse "TargetFilename=*\n" as TargetFilename nodrop
| parse "Image=*\n" as Image nodrop
| parse "User=*\n" as User nodrop
| where matches(toLower(TargetFilename), "(\\\\windows\\\\system32\\\\winevt\\\\logs|\\\\inetpub\\\\logs|\\\\program files\\\\microsoft sql server|\\\\windows\\\\system32\\\\config)")
| where !matches(toLower(Image), "(svchost\.exe|wininit\.exe|lsass\.exe|services\.exe|sqlservr\.exe|sqlagent\.exe|msmpeng\.exe|csrss\.exe|trustedinstaller\.exe|tiworker\.exe)")
| eval AlertType = "CriticalPathTampering", AlertSeverity = "High"
| fields _messageTime, _sourceHost, User, Image, TargetFilename, AlertType, AlertSeverity
| sort by _messageTime desc

high severity medium confidence

Data Sources

Windows Security Event Log (_sourceCategory=windows/security) Windows System Event Log (_sourceCategory=windows/system) Sysmon Operational Log (_sourceCategory=windows/sysmon) Sumo Logic Windows Collector

Required Tables

windows/security windows/system windows/sysmon

False Positives

Automated backup scripts using Python or PowerShell that regularly write to database file paths (.bak, .sql) as part of scheduled maintenance windows
Log management solutions that regularly clear or archive Windows event logs per organizational retention policies
Application deployment pipelines that modify large numbers of files across multiple directories during software rollouts or updates
Endpoint security tools that write scan results or quarantine files to protected system directories

Google Chronicle / SecOps

yaral

rule t1565_data_manipulation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1565 Data Manipulation: audit log clearing, database file tampering by scripting engines, and critical system path modification by unexpected processes"
    mitre_attack_technique = "T1565"
    mitre_attack_tactic = "Impact"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      // Branch 1: Audit log cleared via Windows event
      (
        $e1.metadata.event_type = "STATUS_UPDATE"
        $e1.metadata.product_event_type = "1102"
        $e1.metadata.product_name = "Microsoft-Windows-Security-Auditing"
      )
      or
      (
        $e1.metadata.event_type = "STATUS_UPDATE"
        $e1.metadata.product_event_type = "104"
        $e1.metadata.product_name = "Microsoft-Windows-Eventlog"
      )
    )
    or
    (
      // Branch 2: Database file tampered by scripting engine (Sysmon Event 11)
      $e1.metadata.event_type = "FILE_CREATION"
      $e1.target.file.full_path = /\.(mdf|ldf|db|sqlite|accdb|mdb|sql|bak|dbf|frm)$/i
      $e1.principal.process.file.full_path = /(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python[23]?\.exe|perl\.exe|php\.exe|node\.exe|ruby\.exe|bash|sh)$/i
    )
    or
    (
      // Branch 3: Critical path tampering by non-whitelisted process
      $e1.metadata.event_type = "FILE_MODIFICATION"
      $e1.target.file.full_path = /(\\windows\\system32\\winevt\\logs|\\inetpub\\logs|\\program files\\microsoft sql server|\\windows\\system32\\config)/i
      not $e1.principal.process.file.full_path = /(svchost\.exe|wininit\.exe|lsass\.exe|services\.exe|csrss\.exe|MsMpEng\.exe|sqlservr\.exe|sqlagent\.exe|taskhostw\.exe|TrustedInstaller\.exe|TiWorker\.exe)$/i
    )

  condition:
    $e1
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Windows Security Event Log ingested via Chronicle Sysmon events forwarded to Chronicle Chronicle Windows sensor

Required Tables

UDM Events (FILE_CREATION, FILE_MODIFICATION, STATUS_UPDATE)

False Positives

Legitimate DBA tooling or ORMs that use embedded scripting engines to interact with database files during normal application operation
Authorized Windows log management or SIEM collection agents that clear forwarded logs after successful transmission
Windows Update or Trusted Installer operations that may briefly show non-whitelisted process names during multi-stage patching sequences
Security orchestration tools that write reports or evidence to critical system paths during incident response workflows

CrowdStrike LogScale (CQL)

cql

// Branch 1: Audit Log Cleared — Windows Security/System Event IDs 1102 or 104
#event_simpleName = "EventLogCleared" OR
(
  #event_simpleName = "SyntheticNTLM"
  | EventCode in [1102, 104]
)
| table([timestamp, ComputerName, UserName, EventCode, #event_simpleName])
| eval AlertType="AuditLogCleared", AlertSeverity="Critical"

// Branch 2: Database File Tampered by Scripting Engine
// Run in LogScale as a separate query
#event_simpleName = "PeFileWritten" OR #event_simpleName = "SuspiciousFileCreation"
| TargetFileName = /\.(mdf|ldf|db|sqlite|accdb|mdb|sql|bak|dbf|frm)$/i
| ParentBaseFileName = /(powershell|cmd|wscript|cscript|mshta|python[23]?|perl|php|node|ruby|bash|sh)\.exe/i
| eval AlertType="DatabaseFileTampering", AlertSeverity="High"
| table([timestamp, ComputerName, UserName, ParentBaseFileName, TargetFileName, CommandLine, AlertType, AlertSeverity])

// Branch 3: Bulk File Modification Burst (80+ files, 3+ folders, 5 min window)
// Run in LogScale as a separate query
#event_simpleName = "PeFileWritten"
| groupBy([ComputerName, UserName, ParentBaseFileName, bin(timestamp, 5min)], function=[
    count(TargetFileName, as=FileCount),
    count(distinct=true, TargetDirectoryName, as=FolderCount),
    collect(TargetFileName, limit=5, as=SampleFiles)
  ])
| FileCount > 80 AND FolderCount >= 3
| eval AlertType="BulkFileModification", AlertSeverity="Medium"
| table([timestamp, ComputerName, UserName, ParentBaseFileName, FileCount, FolderCount, SampleFiles, AlertType, AlertSeverity])

// Branch 4: Critical Path Tampering by Unexpected Process
// Run in LogScale as a separate query
#event_simpleName = "PeFileWritten"
| TargetDirectoryName = /(\\windows\\system32\\winevt\\logs|\\inetpub\\logs|\\program files\\microsoft sql server|\\windows\\system32\\config)/i
| ParentBaseFileName != /(svchost|wininit|lsass|services|csrss|MsMpEng|sqlservr|sqlagent|taskhostw|TrustedInstaller|TiWorker)\.exe/i
| eval AlertType="CriticalPathTampering", AlertSeverity="High"
| table([timestamp, ComputerName, UserName, ParentBaseFileName, TargetFileName, CommandLine, AlertType, AlertSeverity])
| sort(timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint (PeFileWritten, SuspiciousFileCreation events) CrowdStrike EventLogCleared detections Falcon sensor process and file telemetry CrowdStrike LogScale (Humio) ingestion

Required Tables

PeFileWritten SuspiciousFileCreation EventLogCleared ProcessRollup2

False Positives

Threat hunting or incident response tooling run by security analysts that legitimately reads or writes database artifacts from scripting environments during forensic investigations
Software packaging tools that modify many files across multiple directories simultaneously during application installation or uninstallation
Continuous integration or deployment pipelines running on endpoints that perform high-volume file writes during build artifact generation
Authorized log archival scripts that interact with Windows Event Log paths on a scheduled maintenance cadence

Last updated: 2026-04-21 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1565 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Data Manipulation

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Same Tactic: Impact

Popular Detections