T1565.002 Elastic Security · Elastic

Detect Transmitted Data Manipulation in Elastic Security

Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, threatening data integrity. Manipulation may occur over network connections or between system processes, including intercepting clipboard contents to replace cryptocurrency addresses (crypto-clipping), modifying financial wire transfer messages such as SWIFT transactions, or altering email content during transit. Real-world examples include APT38 using DYEPACK to manipulate SWIFT messages, LightNeuron modifying Exchange email content in-flight, and commodity banking trojans Melcoz and Metamorfo silently replacing copied wallet addresses. This technique typically requires prolonged access and specialized knowledge of the target transmission mechanism.

MITRE ATT&CK

Tactic
Impact
Technique
T1565 Data Manipulation
Sub-technique
T1565.002 Transmitted Data Manipulation
Canonical reference
https://attack.mitre.org/techniques/T1565/002/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (event.category == "process" and event.type == "start" and
   process.name : ("netsh.exe") and
   process.args : ("interface","portproxy","add","v4tov4","v6tov4") and
   not process.parent.name : ("msiexec.exe","Setup.exe","install*")) or
  (event.category == "registry" and
   registry.path : "HKLM\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\*") or
  (event.category == "driver" and event.type == "start" and
   not process.name : ("TrustedInstaller.exe","msiexec.exe","devcon.exe"))
high severity medium confidence

Detects transmitted data manipulation via netsh port proxy rules and unexpected network driver/filter installation.

Data Sources

Windows Process EventsWindows Registry EventsDriver Events

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.registry-*

False Positives & Tuning

  • Clipboard manager software (Ditto, ClipboardFusion, CopyQ) legitimately reads and writes clipboard data at high frequency and will trigger the ClipboardHijack pattern
  • Password managers (KeePass, 1Password, Bitwarden) that copy credentials to the clipboard will match clipboard access patterns
  • IT administrators configuring netsh portproxy for legitimate port forwarding, NAT traversal, or IPv4-to-IPv6 translation in lab or jump-host environments
  • Endpoint security vendors that install NDIS filter drivers for network traffic inspection (Palo Alto Cortex XDR, Symantec, CrowdStrike network filter components) will trigger the kernel driver installation pattern
  • VPN clients (Cisco AnyConnect, Palo Alto GlobalProtect) and remote desktop tools that install virtual network adapter drivers with Type=SERVICE_KERNEL_DRIVER
  • Automated UI testing frameworks (Playwright, Selenium, AutoIt) that programmatically interact with clipboard in CI/CD test environments
Download portable Sigma rule (.yml)

Other platforms for T1565.002

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Crypto Clipboard Hijacker Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Clipboard', 'Set-Clipboard', and '-WindowStyle Hidden'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational will show the full deobfuscated script including the attacker address. The short-lived process (5 seconds) creates a single process creation event.

  2. Test 2netsh PortProxy Rule Creation for Traffic Redirection

    Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine containing 'portproxy', 'add v4tov4', 'listenport=8080', and 'connectaddress=127.0.0.1'. Sysmon Event ID 13 (RegistryValueSet) at HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp\127.0.0.1/8080 with the connectaddress value. Security Event ID 4688 (if command line auditing is enabled via GPO) captures the full netsh invocation.

  3. Test 3Python Clipboard Monitor with Cryptocurrency Address Pattern

    Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'pyperclip', 'clipboard', and the regex pattern. If pip install fires, a second child process (pip.exe or python.exe -m pip) creates an additional Event ID 1. Sysmon Event ID 3 may capture outbound connection to PyPI if the pip install path is triggered.

  4. Test 4ARP Cache Poisoning with Built-in arp.exe (MITM Precursor)

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\arp.exe, CommandLine='arp -s 192.168.1.254 aa-bb-cc-dd-ee-ff'. Security Event ID 4688 (with process command line auditing enabled) captures the arp invocation. No file or registry changes are written. Verify effect with 'arp -a' — the injected static entry shows type 'static' rather than 'dynamic'.

Last updated: 2026-03-12 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1565.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1565Data Manipulation

Related Sub-techniques

T1565.001Stored Data ManipulationT1565.003Runtime Data Manipulation

Related Techniques

T1565Data ManipulationT1565.001Stored Data ManipulationT1557Adversary-in-the-MiddleT1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1557.002ARP Cache PoisoningT1040Network SniffingT1055Process InjectionT1114.002Remote Email CollectionT1496.001Compute HijackingT1562.004Disable or Modify System Firewall

Same Tactic: Impact

Popular Detections