T1565.001 Splunk · SPL

Detect Stored Data Manipulation in Splunk

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making. Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. Real-world examples include APT38's DYEPACK tool creating, deleting, and altering records in SWIFT banking transaction databases to obscure fraudulent transfers; the SUNSPOT implant (used in the SolarWinds supply chain compromise) that backed up original Orion source files with a .bk extension and wrote trojanized replacements under the original filename; and the MultiLayer Wiper used by Agrius that altered path metadata of deleted files to obstruct forensic recovery.

MITRE ATT&CK

Tactic
Impact
Technique
T1565 Data Manipulation
Sub-technique
T1565.001 Stored Data Manipulation
Canonical reference
https://attack.mitre.org/techniques/T1565/001/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
| eval TargetLower=lower(TargetFilename)
| eval IsCritical=if(match(TargetLower, "\.(sql|db|sqlite|mdb|accdb|dbf|csv|xlsx|xls|docx|xml|json|config|conf|ini|cs|py|js)$"), 1, 0)
| eval IsBackup=if(match(TargetLower, "\.(bk|bak|orig|backup|old|tmp)$"), 1, 0)
| eval TrustedProcess=if(match(lower(Image), "(sqlservr|mysqld|postgres|mongod|oracle|sqlite3|msmpeng|onedrive|outlook|excel|winword)\.exe$"), 1, 0)
| where (IsCritical=1 OR IsBackup=1) AND TrustedProcess=0
| bin _time span=5m
| stats
    count as TotalEvents,
    dc(TargetFilename) as UniqueFiles,
    sum(IsCritical) as CriticalFileCount,
    sum(IsBackup) as BackupFileCount,
    values(TargetFilename) as ModifiedFiles,
    dc(TargetFilename) as FolderCount
    by _time, host, Image, User, CommandLine, ProcessId
| where UniqueFiles >= 5 OR (BackupFileCount >= 1 AND CriticalFileCount >= 1)
| eval DetectionReason=case(
    BackupFileCount >= 1 AND CriticalFileCount >= 1, "BackupReplacePattern_SUNSPOT_Analog",
    UniqueFiles >= 20, "BulkModification_High",
    UniqueFiles >= 10, "BulkModification_Medium",
    true(), "BulkModification_Low"
)
| eval RiskScore=case(
    DetectionReason="BackupReplacePattern_SUNSPOT_Analog", 90,
    DetectionReason="BulkModification_High", 80,
    DetectionReason="BulkModification_Medium", 60,
    true(), 40
)
| table _time, host, User, Image, CommandLine, ProcessId, UniqueFiles, CriticalFileCount, BackupFileCount, ModifiedFiles, DetectionReason, RiskScore
| sort - RiskScore UniqueFiles
high severity medium confidence

Detects stored data manipulation using Sysmon Event ID 11 (FileCreate, which captures both file creation and overwrite events). Identifies backup-and-replace patterns (backup extension file created alongside critical data file modification — analogous to SUNSPOT's .bk technique) and bulk modification of databases, Office documents, configuration files, and source code by untrusted processes within 5-minute windows. Applies a risk scoring model to prioritize BackupReplace detections (score 90) over volumetric bulk modification detections. Excludes known database engines and productivity suite processes as initiating processes.

Data Sources

File: File ModificationFile: File CreationSysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Software deployment or configuration management tools (Ansible, Chef, Puppet, SCCM) that atomically replace configuration files by writing temp files and renaming them
  • Backup agents (Veeam, Veritas, Acronis) that create .bak copies of databases or config files before snapshotting
  • CI/CD pipelines (GitHub Actions, Jenkins, GitLab CI) generating multiple source code or config files during build steps
  • Document management systems (SharePoint sync, Dropbox, OneDrive) performing batch-sync of Office documents
  • Database maintenance scripts writing temporary files alongside primary database files during index rebuilds or vacuum operations
  • Security tools or AV quarantine operations that rename files with modified extensions during remediation
Download portable Sigma rule (.yml)

Other platforms for T1565.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SUNSPOT-Style Backup-and-Replace File Manipulation (Windows)

    Expected signal: Sysmon Event ID 11 (FileCreate): Two events — first for df00tech_orion_config.xml.bk (backup creation), second for df00tech_orion_config.xml (replacement write) — both with Image=powershell.exe as the initiating process. Both events fire within seconds of each other in the same directory. Sysmon Event ID 1 (Process Create): powershell.exe spawned with the script block command.

  2. Test 2Bulk Financial CSV Record Manipulation (Windows)

    Expected signal: Sysmon Event ID 11 (FileCreate): 24 events total — 12 original file creations followed by 12 overwrite events — all with Image=powershell.exe as initiating process, all in the same $TEMP\df00tech_transactions directory. Events should cluster within a 30-60 second window. Sysmon Event ID 1 for the PowerShell process creation.

  3. Test 3SQLite Database Record Manipulation (Linux)

    Expected signal: Linux auditd EXECVE records for sqlite3 with the database file path argument (if auditd is configured with -a exit,always -F arch=b64 -S execve). Syslog or endpoint telemetry showing sqlite3 process execution with /tmp/df00tech_swift_transactions.db as argument. File modification events for the .db file from the endpoint agent (if deployed on Linux). On MDE Linux, DeviceFileEvents with ActionType=FileModified for the .db file with InitiatingProcessFileName=sqlite3.

  4. Test 4Mass Office Document Content Replacement (Windows PowerShell)

    Expected signal: Sysmon Event ID 11 (FileCreate): 20 events — 10 originals, then 10 overwrites — all initiated by powershell.exe within the same directory. The overwrite batch should complete within seconds, producing a dense cluster of file events. All events share the same PowerShell process ID and initiating account. Sysmon Event ID 1 for PowerShell process creation.

Last updated: 2026-03-12 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1565.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1565Data Manipulation

Related Sub-techniques

T1565.002Transmitted Data ManipulationT1565.003Runtime Data Manipulation

Related Techniques

T1565Data ManipulationT1565.002Transmitted Data ManipulationT1565.003Runtime Data ManipulationT1485Data DestructionT1190Exploit Public-Facing ApplicationT1078Valid AccountsT1505.001SQL Stored ProceduresT1195.002Compromise Software Supply ChainT1070.004File DeletionT1027Obfuscated Files or Information

Same Tactic: Impact

Popular Detections