Which SIEM platforms have a T1565.003 detection rule?

df00tech provides T1565.003 (Runtime Data Manipulation) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Runtime Data Manipulation (T1565.003)?

Detecting Runtime Data Manipulation requires the following data sources: Process: Process Access, Module: Module Load, File: File Modification, Microsoft Defender for Endpoint.

What severity and confidence is the T1565.003 detection?

The T1565.003 detection is rated high severity with medium confidence.

What are common false positives for T1565.003?

Common false positives for T1565.003 include: EDR and AV products (CrowdStrike Falcon, Carbon Black, Cylance) routinely inject monitoring DLLs into all running processes including document viewers — their DLL paths and signing certificates should be allowlisted; Accessibility software (JAWS, NVDA, ZoomText) legitimately hooks rendering APIs in PDF and Office applications to provide screen reader functionality; Visual Studio debugger and tools like x64dbg/WinDbg attach to processes with full memory access rights during development and QA workflows.

T1565.003 IBM QRadar · QRadar

Detect Runtime Data Manipulation in IBM QRadar

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, threatening the integrity of information presented at runtime. Unlike stored data manipulation which alters data at rest, runtime manipulation intercepts and alters data in memory or during processing before it reaches the display layer — allowing adversaries to show fraudulent information while persisting clean data on disk. APT38 demonstrated this with DYEPACK.FOX, which hooked PDF rendering to redact fraudulent SWIFT transaction records from operator views. Runtime manipulation typically requires process injection (CreateRemoteThread, WriteProcessMemory), DLL hijacking into display application processes, or API hooking of rendering or formatting functions. The technique is particularly dangerous in financial, SCADA, and operational technology environments where displayed data directly informs decisions.

MITRE ATT&CK

Tactic: Impact
Technique: T1565 Data Manipulation
Sub-technique: T1565.003 Runtime Data Manipulation
Canonical reference: https://attack.mitre.org/techniques/T1565/003/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  QIDNAME(qid) AS event_name,
  username,
  sourceip,
  "TargetImage",
  "SourceImage",
  "ImageLoaded",
  "GrantedAccess",
  CASE
    WHEN QIDNAME(qid) LIKE '%CreateRemoteThread%' THEN 'RemoteThreadInjection'
    WHEN QIDNAME(qid) LIKE '%ProcessAccess%' THEN 'SuspiciousProcessAccess'
    WHEN QIDNAME(qid) LIKE '%ImageLoad%' THEN 'UnexpectedDllLoad'
    ELSE 'BinaryTampering'
  END AS detection_type,
  CASE
    WHEN QIDNAME(qid) LIKE '%CreateRemoteThread%' THEN 3
    WHEN QIDNAME(qid) LIKE '%ProcessAccess%' AND "GrantedAccess" IN ('0x1F0FFF','0x001F','0x0028') THEN 2
    WHEN QIDNAME(qid) LIKE '%ImageLoad%' THEN 2
    ELSE 1
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 13 -- Microsoft Windows Security Event Log
  AND starttime > NOW() - 86400000
  AND (
    (
      "EventID" = '8'
      AND (
        "TargetImage" ILIKE '%\\acrord32.exe' OR "TargetImage" ILIKE '%\\acrobat.exe' OR
        "TargetImage" ILIKE '%\\foxitreader.exe' OR "TargetImage" ILIKE '%\\sumatrapdf.exe' OR
        "TargetImage" ILIKE '%\\excel.exe' OR "TargetImage" ILIKE '%\\winword.exe' OR
        "TargetImage" ILIKE '%\\powerpnt.exe' OR "TargetImage" ILIKE '%\\outlook.exe' OR
        "TargetImage" ILIKE '%\\explorer.exe' OR "TargetImage" ILIKE '%\\mmc.exe'
      )
    )
    OR
    (
      "EventID" = '10'
      AND (
        "TargetImage" ILIKE '%\\acrord32.exe' OR "TargetImage" ILIKE '%\\acrobat.exe' OR
        "TargetImage" ILIKE '%\\foxitreader.exe' OR "TargetImage" ILIKE '%\\excel.exe' OR
        "TargetImage" ILIKE '%\\winword.exe' OR "TargetImage" ILIKE '%\\outlook.exe'
      )
      AND (
        "SourceImage" ILIKE '%\\powershell.exe' OR "SourceImage" ILIKE '%\\pwsh.exe' OR
        "SourceImage" ILIKE '%\\cmd.exe' OR "SourceImage" ILIKE '%\\wscript.exe' OR
        "SourceImage" ILIKE '%\\cscript.exe' OR "SourceImage" ILIKE '%\\mshta.exe' OR
        "SourceImage" ILIKE '%\\rundll32.exe' OR "SourceImage" ILIKE '%\\regsvr32.exe'
      )
    )
    OR
    (
      "EventID" = '7'
      AND (
        "Image" ILIKE '%\\acrord32.exe' OR "Image" ILIKE '%\\acrobat.exe' OR
        "Image" ILIKE '%\\foxitreader.exe' OR "Image" ILIKE '%\\excel.exe' OR
        "Image" ILIKE '%\\winword.exe'
      )
      AND "Signed" <> 'true'
      AND NOT (
        "ImageLoaded" ILIKE '%\\Windows\\%' OR
        "ImageLoaded" ILIKE '%\\Program Files\\Adobe\\%' OR
        "ImageLoaded" ILIKE '%\\Program Files\\Foxit\\%' OR
        "ImageLoaded" ILIKE '%\\Program Files\\Microsoft Office\\%' OR
        "ImageLoaded" ILIKE '%\\Program Files (x86)\\Microsoft Office\\%'
      )
    )
  )
ORDER BY risk_score DESC, starttime DESC

high severity medium confidence

AQL query for IBM QRadar detecting T1565.003 Runtime Data Manipulation by correlating Sysmon EventID 8 (CreateRemoteThread), EventID 10 (ProcessAccess), and EventID 7 (ImageLoad) events targeting PDF readers, Office applications, and other display-layer processes. Assigns a risk score based on event type and memory access flags.

Data Sources

Microsoft Windows Sysmon (forwarded via WinCollect or syslog)IBM QRadar DSM for Microsoft Windows

Required Tables

events (QRadar)

False Positives & Tuning

Enterprise DRM solutions that inject into Acrobat or Office to enforce document rights management policies
Screen recording or accessibility software (e.g., JAWS, ZoomText) that hooks into document viewers for rendering capture
Corporate monitoring tools that open handles to Office processes for activity tracking or compliance purposes

Download portable Sigma rule (.yml)

Other platforms for T1565.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1CreateRemoteThread Injection into Notepad (Windows Shellcode Proxy)
Expected signal: Sysmon Event ID 8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=notepad.exe, StartAddress=<allocated_address>, StartModule='' (empty — shellcode, not DLL). Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=notepad.exe, GrantedAccess=0x1F0FFF. Security Event ID 4688: powershell.exe process creation with the injection command line.
Test 2DLL Injection via LoadLibrary into Explorer (Reflective Load Simulation)
Expected signal: Sysmon Event ID 8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=explorer.exe, StartAddress=<LoadLibraryW_address>, StartModule=C:\Windows\System32\kernel32.dll, StartFunction=LoadLibraryW. Sysmon Event ID 7 (ImageLoad) in explorer.exe process showing version.dll load if not already present. Sysmon Event ID 10: GrantedAccess=0x1F0FFF from powershell.exe into explorer.exe.
Test 3Linux LD_PRELOAD Injection to Intercept Display Library Functions
Expected signal: Linux audit log (auditd): execve syscall for gcc compilation of the shared library. execve syscall for the LD_PRELOAD bash invocation with the environment variable set. syslog/auth.log: LD_PRELOAD environment variable may appear in process accounting. Sysmon for Linux (if deployed): EventCode 1 (Process Create) with CommandLine containing 'LD_PRELOAD' and the .so path. File creation events for /tmp/intercept_display.c and /tmp/intercept_display.so.
Test 4Inline Function Hook (IAT Patch) in Running Process via PowerShell
Expected signal: Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=notepad.exe, GrantedAccess=0x0410 (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ). Security Event ID 4688: powershell.exe execution with the command line. If AV is monitoring OpenProcess calls on non-EDR processes, an additional alert may fire from the security product.

Last updated: 2026-04-21 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1565.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Runtime Data Manipulation in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1565.003

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Impact

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1565.003

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Impact

Popular Detections

Get new detections in your inbox