Detect Transmitted Data Manipulation in Google Chronicle
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, threatening data integrity. Manipulation may occur over network connections or between system processes, including intercepting clipboard contents to replace cryptocurrency addresses (crypto-clipping), modifying financial wire transfer messages such as SWIFT transactions, or altering email content during transit. Real-world examples include APT38 using DYEPACK to manipulate SWIFT messages, LightNeuron modifying Exchange email content in-flight, and commodity banking trojans Melcoz and Metamorfo silently replacing copied wallet addresses. This technique typically requires prolonged access and specialized knowledge of the target transmission mechanism.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1565 Data Manipulation
- Sub-technique
- T1565.002 Transmitted Data Manipulation
- Canonical reference
- https://attack.mitre.org/techniques/T1565/002/
YARA-L Detection Query
rule transmitted_data_manipulation {
meta:
author = "Detection Engineering"
description = "Detects transmitted data manipulation via port proxy and driver manipulation (T1565.002)"
severity = "HIGH"
tactic = "TA0040"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
re.regex($e.target.process.file.full_path, `(?i)netsh\.exe`) nocase
re.regex($e.target.process.command_line, `(?i)interface portproxy`) nocase
re.regex($e.target.process.command_line, `(?i)add v[46]tov[46]`) nocase
condition:
$e
}Chronicle YARA-L rule detecting netsh portproxy rule additions for traffic redirection.
Data Sources
Required Tables
False Positives & Tuning
- Clipboard manager software (Ditto, ClipboardFusion, CopyQ) legitimately reads and writes clipboard data at high frequency and will trigger the ClipboardHijack pattern
- Password managers (KeePass, 1Password, Bitwarden) that copy credentials to the clipboard will match clipboard access patterns
- IT administrators configuring netsh portproxy for legitimate port forwarding, NAT traversal, or IPv4-to-IPv6 translation in lab or jump-host environments
- Endpoint security vendors that install NDIS filter drivers for network traffic inspection (Palo Alto Cortex XDR, Symantec, CrowdStrike network filter components) will trigger the kernel driver installation pattern
- VPN clients (Cisco AnyConnect, Palo Alto GlobalProtect) and remote desktop tools that install virtual network adapter drivers with Type=SERVICE_KERNEL_DRIVER
- Automated UI testing frameworks (Playwright, Selenium, AutoIt) that programmatically interact with clipboard in CI/CD test environments
Other platforms for T1565.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Crypto Clipboard Hijacker Simulation
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Clipboard', 'Set-Clipboard', and '-WindowStyle Hidden'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational will show the full deobfuscated script including the attacker address. The short-lived process (5 seconds) creates a single process creation event.
- Test 2netsh PortProxy Rule Creation for Traffic Redirection
Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine containing 'portproxy', 'add v4tov4', 'listenport=8080', and 'connectaddress=127.0.0.1'. Sysmon Event ID 13 (RegistryValueSet) at HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp\127.0.0.1/8080 with the connectaddress value. Security Event ID 4688 (if command line auditing is enabled via GPO) captures the full netsh invocation.
- Test 3Python Clipboard Monitor with Cryptocurrency Address Pattern
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'pyperclip', 'clipboard', and the regex pattern. If pip install fires, a second child process (pip.exe or python.exe -m pip) creates an additional Event ID 1. Sysmon Event ID 3 may capture outbound connection to PyPI if the pip install path is triggered.
- Test 4ARP Cache Poisoning with Built-in arp.exe (MITM Precursor)
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\arp.exe, CommandLine='arp -s 192.168.1.254 aa-bb-cc-dd-ee-ff'. Security Event ID 4688 (with process command line auditing enabled) captures the arp invocation. No file or registry changes are written. Verify effect with 'arp -a' — the injected static entry shows type 'static' rather than 'dynamic'.
References (11)
- https://attack.mitre.org/techniques/T1565/002/
- https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
- https://www.justice.gov/opa/press-release/file/1092091/download
- https://securelist.com/brazilian-banking-trojans-and-windows-clipboard/97373/
- https://www.fortinet.com/blog/threat-research/metamorfo-banking-trojan-keeps-targeting-brazil
- https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-much/
- https://learn.microsoft.com/en-us/windows/win32/wfp/windows-filtering-platform-start-page
- https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1565.002/T1565.002.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceevents-table
Unlock Pro Content
Get the full detection package for T1565.002 including response playbook, investigation guide, and atomic red team tests.