T1565.002 Transmitted Data Manipulation Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1565.002 — Transmitted Data Manipulation
// Covers: clipboard hijacking (crypto-clipping), netsh portproxy traffic redirection,
// new kernel/NDIS filter driver installation, process injection into network-facing apps

// --- Clipboard hijacking via scripting engines (Melcoz/Metamorfo pattern) ---
let ClipboardHijack = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "python.exe", "python3.exe", "wscript.exe", "cscript.exe")
| where ProcessCommandLine has_any (
    "Get-Clipboard", "Set-Clipboard",
    "[Windows.Forms.Clipboard]", "System.Windows.Forms.Clipboard",
    "GetClipboardData", "SetClipboardData", "OpenClipboard",
    "clipboard.paste", "clipboard.copy", "pyperclip", "win32clipboard"
)
| extend DetectionType = "ClipboardHijack"
| extend RiskScore = 70
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionType, RiskScore,
          RegistryKey = "", RegistryValueName = "", RegistryValueData = "";

// --- netsh portproxy: redirecting traffic to attacker-controlled endpoint ---
let PortProxyRedirect = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "netsh.exe"
| where ProcessCommandLine has "portproxy"
    and ProcessCommandLine has_any ("add", "set")
    and ProcessCommandLine has "connectaddress"
| extend DetectionType = "PortProxy_TrafficRedirection"
| extend RiskScore = 80
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionType, RiskScore,
          RegistryKey = "", RegistryValueName = "", RegistryValueData = "";

// --- New kernel driver installation (WFP callout / NDIS filter for traffic interception) ---
let NetworkFilterDriver = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where RegistryKey has "CurrentControlSet\\Services"
| where RegistryValueName =~ "Type"
| where RegistryValueData in ("1", "0x00000001")  // SERVICE_KERNEL_DRIVER
| extend ServiceName = extract(@"Services\\([^\\]+)", 1, RegistryKey)
| where isnotempty(ServiceName)
| extend DetectionType = "NetworkFilterDriver_NewKernelDriver"
| extend RiskScore = 85
| project Timestamp, DeviceName, AccountName, FileName = ServiceName, ProcessCommandLine = "",
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionType, RiskScore,
          RegistryKey, RegistryValueName, RegistryValueData;

// --- Remote thread injection into browser/email clients (intercept data in-process) ---
let BrowserMailInjection = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "CreateRemoteThreadApiCall"
| where FileName in~ (
    "chrome.exe", "firefox.exe", "msedge.exe",
    "outlook.exe", "thunderbird.exe", "iexplore.exe"
)
| where InitiatingProcessFileName !in~ (
    "chrome.exe", "firefox.exe", "msedge.exe",
    "outlook.exe", "thunderbird.exe", "iexplore.exe"
)
| extend DetectionType = "ProcessInjection_NetworkApp"
| extend RiskScore = 90
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine = "",
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionType, RiskScore,
          RegistryKey = "", RegistryValueName = "", RegistryValueData = "";

// --- Known MITM tool execution ---
let MITMTools = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("arpspoof", "ettercap", "bettercap", "responder", "mitmproxy")
    or (ProcessCommandLine has_any ("arpspoof", "bettercap", "ettercap", "responder", "mitmproxy")
        and FileName in~ ("python.exe", "python3.exe", "bash", "sh"))
| extend DetectionType = "MITMTool_Execution"
| extend RiskScore = 95
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionType, RiskScore,
          RegistryKey = "", RegistryValueName = "", RegistryValueData = "";

union ClipboardHijack, PortProxyRedirect, NetworkFilterDriver, BrowserMailInjection, MITMTools
| sort by RiskScore desc, Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Registry: Registry Value Set Process: Process Modification Network Traffic: Network Traffic Content

Required Tables

DeviceProcessEvents DeviceRegistryEvents DeviceEvents

False Positives

Clipboard manager software (Ditto, ClipboardFusion, CopyQ) legitimately reads and writes clipboard data at high frequency and will trigger the ClipboardHijack pattern
Password managers (KeePass, 1Password, Bitwarden) that copy credentials to the clipboard will match clipboard access patterns
IT administrators configuring netsh portproxy for legitimate port forwarding, NAT traversal, or IPv4-to-IPv6 translation in lab or jump-host environments
Endpoint security vendors that install NDIS filter drivers for network traffic inspection (Palo Alto Cortex XDR, Symantec, CrowdStrike network filter components) will trigger the kernel driver installation pattern
VPN clients (Cisco AnyConnect, Palo Alto GlobalProtect) and remote desktop tools that install virtual network adapter drivers with Type=SERVICE_KERNEL_DRIVER
Automated UI testing frameworks (Playwright, Selenium, AutoIt) that programmatically interact with clipboard in CI/CD test environments

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval DetectionType=null()
| eval RiskScore=0

| eval DetectionType=if(
    EventCode=1
    AND (match(lower(Image), "(powershell\.exe|pwsh\.exe|python[23]?\.exe|wscript\.exe|cscript\.exe)"))
    AND match(lower(CommandLine), "(get-clipboard|set-clipboard|windows\.forms\.clipboard|getclipboarddata|setclipboarddata|openclipboard|clipboard\.paste|clipboard\.copy|pyperclip|win32clipboard)"),
    "ClipboardHijack",
    DetectionType
)
| eval RiskScore=if(DetectionType="ClipboardHijack", 70, RiskScore)

| eval DetectionType=if(
    EventCode=1
    AND match(lower(Image), "netsh\.exe")
    AND match(lower(CommandLine), "portproxy")
    AND match(lower(CommandLine), "(add|set)")
    AND match(lower(CommandLine), "connectaddress"),
    "PortProxy_TrafficRedirection",
    DetectionType
)
| eval RiskScore=if(DetectionType="PortProxy_TrafficRedirection", 80, RiskScore)

| eval DetectionType=if(
    EventCode=8
    AND match(lower(TargetImage), "(chrome\.exe|firefox\.exe|msedge\.exe|outlook\.exe|thunderbird\.exe|iexplore\.exe)")
    AND NOT match(lower(SourceImage), "(chrome\.exe|firefox\.exe|msedge\.exe|outlook\.exe|thunderbird\.exe|iexplore\.exe)"),
    "ProcessInjection_NetworkApp",
    DetectionType
)
| eval RiskScore=if(DetectionType="ProcessInjection_NetworkApp", 90, RiskScore)

| eval DetectionType=if(
    EventCode=13
    AND match(lower(TargetObject), "currentcontrolset\\\\services\\\\.+")
    AND match(Details, "DWORD \(0x00000001\)"),
    "NetworkFilterDriver_NewKernelDriver",
    DetectionType
)
| eval RiskScore=if(DetectionType="NetworkFilterDriver_NewKernelDriver", 85, RiskScore)

| eval DetectionType=if(
    EventCode=1
    AND match(lower(Image), "(arpspoof|ettercap|bettercap|responder|mitmproxy)"),
    "MITMTool_Execution",
    DetectionType
)
| eval RiskScore=if(DetectionType="MITMTool_Execution", 95, RiskScore)

| where isnotnull(DetectionType)
| table _time, host, User, Image, CommandLine, TargetImage, SourceImage, TargetObject, Details, DetectionType, RiskScore
| sort - RiskScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation Process: Process Modification Registry: Registry Value Set Command: Command Execution

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Clipboard manager software (Ditto, ClipboardFusion, CopyQ) legitimately monitors clipboard and will trigger the ClipboardHijack pattern
Password managers copying credentials to clipboard will match clipboard access patterns in scripting language processes
IT administrators using netsh portproxy for legitimate port forwarding in test, staging, or jump-host configurations
Endpoint security products installing NDIS filter drivers (CrowdStrike, Palo Alto, Symantec) will trigger the Type=1 kernel driver registry pattern
Chromium sandbox processes and GPU helper processes that occasionally create remote threads within the browser process family
Network debugging tools such as Wireshark (npcap driver) or WinPcap triggering the kernel driver installation detection

Elastic Security (EQL)

eql

any where
  (event.category == "process" and event.type == "start" and
   process.name : ("netsh.exe") and
   process.args : ("interface","portproxy","add","v4tov4","v6tov4") and
   not process.parent.name : ("msiexec.exe","Setup.exe","install*")) or
  (event.category == "registry" and
   registry.path : "HKLM\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\*") or
  (event.category == "driver" and event.type == "start" and
   not process.name : ("TrustedInstaller.exe","msiexec.exe","devcon.exe"))

high severity medium confidence

Data Sources

Windows Process Events Windows Registry Events Driver Events

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-*

False Positives

Clipboard manager software (Ditto, ClipboardFusion, CopyQ) legitimately reads and writes clipboard data at high frequency and will trigger the ClipboardHijack pattern
Password managers (KeePass, 1Password, Bitwarden) that copy credentials to the clipboard will match clipboard access patterns
IT administrators configuring netsh portproxy for legitimate port forwarding, NAT traversal, or IPv4-to-IPv6 translation in lab or jump-host environments
Endpoint security vendors that install NDIS filter drivers for network traffic inspection (Palo Alto Cortex XDR, Symantec, CrowdStrike network filter components) will trigger the kernel driver installation pattern
VPN clients (Cisco AnyConnect, Palo Alto GlobalProtect) and remote desktop tools that install virtual network adapter drivers with Type=SERVICE_KERNEL_DRIVER
Automated UI testing frameworks (Playwright, Selenium, AutoIt) that programmatically interact with clipboard in CI/CD test environments

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "Image" as ProcessImage, "CommandLine" as CommandLine,
  CASE WHEN "CommandLine" ILIKE '%portproxy%add%' THEN 10
       WHEN "TargetObject" ILIKE '%PortProxy%' THEN 9
       WHEN "CommandLine" ILIKE '%clipboard%' AND "Image" ILIKE '%wscript%' THEN 8
       ELSE 5 END as RiskScore
FROM events
WHERE (
  (eventid = 1 AND "Image" ILIKE '%netsh.exe%' AND
   "CommandLine" ILIKE '%interface portproxy%' AND "CommandLine" ILIKE '%add v4tov4%')
  OR (eventid IN (12,13) AND "TargetObject" ILIKE '%PortProxy%')
  OR (eventid = 6)
)
ORDER BY RiskScore DESC, EventTime DESC

high severity medium confidence

Data Sources

Windows Sysmon

Required Tables

events

False Positives

Clipboard manager software (Ditto, ClipboardFusion, CopyQ) legitimately reads and writes clipboard data at high frequency and will trigger the ClipboardHijack pattern
Password managers (KeePass, 1Password, Bitwarden) that copy credentials to the clipboard will match clipboard access patterns
IT administrators configuring netsh portproxy for legitimate port forwarding, NAT traversal, or IPv4-to-IPv6 translation in lab or jump-host environments
Endpoint security vendors that install NDIS filter drivers for network traffic inspection (Palo Alto Cortex XDR, Symantec, CrowdStrike network filter components) will trigger the kernel driver installation pattern
VPN clients (Cisco AnyConnect, Palo Alto GlobalProtect) and remote desktop tools that install virtual network adapter drivers with Type=SERVICE_KERNEL_DRIVER
Automated UI testing frameworks (Playwright, Selenium, AutoIt) that programmatically interact with clipboard in CI/CD test environments

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon
| json auto
| where EventID in ("1","6","12","13")
| eval CmdLower = toLower(coalesce(CommandLine,""))
| eval TargetLower = toLower(coalesce(TargetObject,""))
| eval ImageLower = toLower(coalesce(Image,""))
| eval is_portproxy = if(
    (EventID == "1" AND ImageLower matches ".*netsh\.exe$" AND
     CmdLower matches ".*interface portproxy.*add.*v4tov4.*") OR
    (EventID in ("12","13") AND TargetLower matches ".*portproxy.*"), 1, 0)
| eval is_driver = if(EventID == "6" AND
    !ImageLower matches ".*(trustedinstaller|msiexec|devcon|dism)\.exe.*", 1, 0)
| where is_portproxy == 1 OR is_driver == 1
| eval detection_type = if(is_portproxy == 1, "PortProxy_Redirect", "Suspicious_Driver_Load")
| table _time, Computer, User, Image, CommandLine, TargetObject, detection_type
| sort by _time desc

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic

Required Tables

windows/sysmon

False Positives

Clipboard manager software (Ditto, ClipboardFusion, CopyQ) legitimately reads and writes clipboard data at high frequency and will trigger the ClipboardHijack pattern
Password managers (KeePass, 1Password, Bitwarden) that copy credentials to the clipboard will match clipboard access patterns
IT administrators configuring netsh portproxy for legitimate port forwarding, NAT traversal, or IPv4-to-IPv6 translation in lab or jump-host environments
Endpoint security vendors that install NDIS filter drivers for network traffic inspection (Palo Alto Cortex XDR, Symantec, CrowdStrike network filter components) will trigger the kernel driver installation pattern
VPN clients (Cisco AnyConnect, Palo Alto GlobalProtect) and remote desktop tools that install virtual network adapter drivers with Type=SERVICE_KERNEL_DRIVER
Automated UI testing frameworks (Playwright, Selenium, AutoIt) that programmatically interact with clipboard in CI/CD test environments

Google Chronicle / SecOps

yaral

rule transmitted_data_manipulation {
  meta:
    author = "Detection Engineering"
    description = "Detects transmitted data manipulation via port proxy and driver manipulation (T1565.002)"
    severity = "HIGH"
    tactic = "TA0040"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.target.process.file.full_path, `(?i)netsh\.exe`) nocase
    re.regex($e.target.process.command_line, `(?i)interface portproxy`) nocase
    re.regex($e.target.process.command_line, `(?i)add v[46]tov[46]`) nocase

  condition:
    $e
}

high severity medium confidence

Data Sources

Windows Process Events via Chronicle UDM

Required Tables

PROCESS_LAUNCH

False Positives

Clipboard manager software (Ditto, ClipboardFusion, CopyQ) legitimately reads and writes clipboard data at high frequency and will trigger the ClipboardHijack pattern
Password managers (KeePass, 1Password, Bitwarden) that copy credentials to the clipboard will match clipboard access patterns
IT administrators configuring netsh portproxy for legitimate port forwarding, NAT traversal, or IPv4-to-IPv6 translation in lab or jump-host environments
Endpoint security vendors that install NDIS filter drivers for network traffic inspection (Palo Alto Cortex XDR, Symantec, CrowdStrike network filter components) will trigger the kernel driver installation pattern
VPN clients (Cisco AnyConnect, Palo Alto GlobalProtect) and remote desktop tools that install virtual network adapter drivers with Type=SERVICE_KERNEL_DRIVER
Automated UI testing frameworks (Playwright, Selenium, AutoIt) that programmatically interact with clipboard in CI/CD test environments

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| (ImageFileName = /netsh\.exe$/i AND CommandLine = /interface portproxy/i AND CommandLine = /add v[46]tov[46]/i)
  OR (ImageFileName = /reg\.exe$/i AND CommandLine = /PortProxy/i)
| eval risk = "high"
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, risk
| sort by timestamp desc

high severity medium confidence

Data Sources

CrowdStrike Falcon Process Events

Required Tables

ProcessRollup2

False Positives

Clipboard manager software (Ditto, ClipboardFusion, CopyQ) legitimately reads and writes clipboard data at high frequency and will trigger the ClipboardHijack pattern
Password managers (KeePass, 1Password, Bitwarden) that copy credentials to the clipboard will match clipboard access patterns
IT administrators configuring netsh portproxy for legitimate port forwarding, NAT traversal, or IPv4-to-IPv6 translation in lab or jump-host environments
Endpoint security vendors that install NDIS filter drivers for network traffic inspection (Palo Alto Cortex XDR, Symantec, CrowdStrike network filter components) will trigger the kernel driver installation pattern
VPN clients (Cisco AnyConnect, Palo Alto GlobalProtect) and remote desktop tools that install virtual network adapter drivers with Type=SERVICE_KERNEL_DRIVER
Automated UI testing frameworks (Playwright, Selenium, AutoIt) that programmatically interact with clipboard in CI/CD test environments

Transmitted Data Manipulation

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Impact

Popular Detections