Detect Stored Data Manipulation in Google Chronicle
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making. Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. Real-world examples include APT38's DYEPACK tool creating, deleting, and altering records in SWIFT banking transaction databases to obscure fraudulent transfers; the SUNSPOT implant (used in the SolarWinds supply chain compromise) that backed up original Orion source files with a .bk extension and wrote trojanized replacements under the original filename; and the MultiLayer Wiper used by Agrius that altered path metadata of deleted files to obstruct forensic recovery.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1565 Data Manipulation
- Sub-technique
- T1565.001 Stored Data Manipulation
- Canonical reference
- https://attack.mitre.org/techniques/T1565/001/
YARA-L Detection Query
rule stored_data_manipulation {
meta:
author = "Detection Engineering"
description = "Detects unauthorized stored data manipulation (T1565.001)"
severity = "HIGH"
tactic = "TA0040"
events:
$e.metadata.event_type = "FILE_MODIFICATION"
re.regex($e.target.file.full_path, `(?i)\.(sql|db|sqlite|mdb|csv|xlsx|json|config|conf)$`) nocase
re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell|wscript|cscript|python|perl|certutil|bitsadmin)`) nocase
condition:
$e
}Chronicle YARA-L rule detecting unauthorized modification of database and configuration files.
Data Sources
Required Tables
False Positives & Tuning
- Software deployment or configuration management tools (Ansible, Chef, Puppet, SCCM) that atomically replace configuration files by writing to a temp file and renaming — creates backup-like patterns with high file counts
- Backup agents (Veeam, Veritas, Acronis, Windows Server Backup) that create .bak copies of databases or config files before snapshotting — triggers both the backup-replace and bulk modification patterns
- Development CI/CD pipelines (GitHub Actions, Jenkins, GitLab CI) that generate, compile, and write multiple source code or config files in rapid succession during build steps
- Antivirus or DLP quarantine operations that move or rename files with modified extensions during remediation workflows
- Database maintenance scripts (index rebuilds, VACUUM, CHECKPOINT operations run by scripts) that write temporary files alongside primary database files
- Document management systems (SharePoint sync, Dropbox, OneDrive) that batch-sync large numbers of Office documents during initial sync or conflict resolution
Other platforms for T1565.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SUNSPOT-Style Backup-and-Replace File Manipulation (Windows)
Expected signal: Sysmon Event ID 11 (FileCreate): Two events — first for df00tech_orion_config.xml.bk (backup creation), second for df00tech_orion_config.xml (replacement write) — both with Image=powershell.exe as the initiating process. Both events fire within seconds of each other in the same directory. Sysmon Event ID 1 (Process Create): powershell.exe spawned with the script block command.
- Test 2Bulk Financial CSV Record Manipulation (Windows)
Expected signal: Sysmon Event ID 11 (FileCreate): 24 events total — 12 original file creations followed by 12 overwrite events — all with Image=powershell.exe as initiating process, all in the same $TEMP\df00tech_transactions directory. Events should cluster within a 30-60 second window. Sysmon Event ID 1 for the PowerShell process creation.
- Test 3SQLite Database Record Manipulation (Linux)
Expected signal: Linux auditd EXECVE records for sqlite3 with the database file path argument (if auditd is configured with -a exit,always -F arch=b64 -S execve). Syslog or endpoint telemetry showing sqlite3 process execution with /tmp/df00tech_swift_transactions.db as argument. File modification events for the .db file from the endpoint agent (if deployed on Linux). On MDE Linux, DeviceFileEvents with ActionType=FileModified for the .db file with InitiatingProcessFileName=sqlite3.
- Test 4Mass Office Document Content Replacement (Windows PowerShell)
Expected signal: Sysmon Event ID 11 (FileCreate): 20 events — 10 originals, then 10 overwrites — all initiated by powershell.exe within the same directory. The overwrite batch should complete within seconds, producing a dense cluster of file events. All events share the same PowerShell process ID and initiating account. Sysmon Event ID 1 for PowerShell process creation.
References (10)
- https://attack.mitre.org/techniques/T1565/001/
- https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
- https://www.justice.gov/opa/press-release/file/1092091/download
- https://unit42.paloaltonetworks.com/agrius-targeting-israel/
- https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1565.001/T1565.001.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://www.swift.com/your-needs/financial-crime-cyber-security/cyber-security/swift-customer-security-programme-csp
- https://www.cisa.gov/sites/default/files/publications/AA21-048A_Joint-CSA_SolarWinds-Supply-Chain.pdf
Unlock Pro Content
Get the full detection package for T1565.001 including response playbook, investigation guide, and atomic red team tests.