T1565.003 Microsoft Sentinel · KQL

Detect Runtime Data Manipulation in Microsoft Sentinel

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, threatening the integrity of information presented at runtime. Unlike stored data manipulation which alters data at rest, runtime manipulation intercepts and alters data in memory or during processing before it reaches the display layer — allowing adversaries to show fraudulent information while persisting clean data on disk. APT38 demonstrated this with DYEPACK.FOX, which hooked PDF rendering to redact fraudulent SWIFT transaction records from operator views. Runtime manipulation typically requires process injection (CreateRemoteThread, WriteProcessMemory), DLL hijacking into display application processes, or API hooking of rendering or formatting functions. The technique is particularly dangerous in financial, SCADA, and operational technology environments where displayed data directly informs decisions.

MITRE ATT&CK

Tactic
Impact
Technique
T1565 Data Manipulation
Sub-technique
T1565.003 Runtime Data Manipulation
Canonical reference
https://attack.mitre.org/techniques/T1565/003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let DisplayApplications = dynamic([
  "acrord32.exe", "acrobat.exe", "foxitreader.exe", "sumatrapdf.exe",
  "excel.exe", "winword.exe", "powerpnt.exe", "outlook.exe",
  "mspaint.exe", "explorer.exe", "mmc.exe", "wmplayer.exe",
  "evince", "okular", "libreoffice"
]);
let SuspiciousSourceProcesses = dynamic([
  "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "svchost.exe"
]);
// Detect CreateRemoteThread into display/document applications
let RemoteThreadInjection = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "CreateRemoteThread"
| where FileName has_any (DisplayApplications)
| project Timestamp, DeviceName, AccountName, ActionType,
         TargetProcessName = FileName, TargetProcessId = ProcessId,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, ReportId,
         DetectionType = "RemoteThreadInjection";
// Detect process memory write access into display applications (Sysmon-equivalent via DeviceEvents)
let ProcessMemoryWrite = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "OpenProcess"
| where FileName has_any (DisplayApplications)
| where InitiatingProcessFileName has_any (SuspiciousSourceProcesses)
| project Timestamp, DeviceName, AccountName, ActionType,
         TargetProcessName = FileName, TargetProcessId = ProcessId,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, ReportId,
         DetectionType = "SuspiciousProcessOpen";
// Detect unexpected DLL loads into document viewer processes
let SuspiciousDllLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (DisplayApplications)
| where not(FolderPath has_any (@"C:\Windows\", @"C:\Program Files\", @"C:\Program Files (x86)\"))
| where SHA1 !in~ ("")
| project Timestamp, DeviceName, AccountName,
         FolderPath, FileName, SHA1,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, ReportId,
         DetectionType = "SuspiciousDllIntoViewer";
// Detect binary modifications to display application executables
let BinaryTampering = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileModified", "FileRenamed")
| where FileName endswith ".exe" or FileName endswith ".dll"
| where FolderPath has_any (@"Program Files\Adobe", @"Program Files\Foxit",
         @"Program Files\Microsoft Office", @"Program Files (x86)\Microsoft Office")
| where InitiatingProcessFileName !in~ ("msiexec.exe", "setup.exe", "install.exe",
         "trustedinstaller.exe", "tiworker.exe", "svchost.exe")
| project Timestamp, DeviceName, AccountName,
         FolderPath, FileName, ActionType, SHA1,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, ReportId,
         DetectionType = "DisplayBinaryTampering";
union RemoteThreadInjection, ProcessMemoryWrite, SuspiciousDllLoad, BinaryTampering
| sort by Timestamp desc
high severity medium confidence

Detects runtime data manipulation attempts targeting display and document viewer applications across four vectors: (1) CreateRemoteThread injection into PDF readers, Office applications, or other display processes using DeviceEvents; (2) suspicious process memory open operations from scripting engines or LOLBins targeting viewer processes; (3) unexpected DLL loads from non-standard paths into document viewer processes via DeviceImageLoadEvents; (4) unauthorized binary modifications to display application executables via DeviceFileEvents. The union approach catches the breadth of injection and tampering techniques adversaries use to intercept and modify data before it reaches the operator view.

Data Sources

Process: Process AccessModule: Module LoadFile: File ModificationMicrosoft Defender for Endpoint

Required Tables

DeviceEventsDeviceImageLoadEventsDeviceFileEvents

False Positives & Tuning

  • EDR and AV products (CrowdStrike Falcon, Carbon Black, Cylance) routinely inject monitoring DLLs into all running processes including document viewers — their DLL paths and signing certificates should be allowlisted
  • Accessibility software (JAWS, NVDA, ZoomText) legitimately hooks rendering APIs in PDF and Office applications to provide screen reader functionality
  • Visual Studio debugger and tools like x64dbg/WinDbg attach to processes with full memory access rights during development and QA workflows
  • PDF print spooler integrations and enterprise DRM solutions (Adobe LiveCycle, Workshare, Vera) inject into Acrobat to intercept document output
  • Screen recording and enterprise content monitoring tools (Panopto, Citrix UiPath, Teramind) use process injection to capture display output for compliance purposes
Download portable Sigma rule (.yml)

Other platforms for T1565.003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CreateRemoteThread Injection into Notepad (Windows Shellcode Proxy)

    Expected signal: Sysmon Event ID 8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=notepad.exe, StartAddress=<allocated_address>, StartModule='' (empty — shellcode, not DLL). Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=notepad.exe, GrantedAccess=0x1F0FFF. Security Event ID 4688: powershell.exe process creation with the injection command line.

  2. Test 2DLL Injection via LoadLibrary into Explorer (Reflective Load Simulation)

    Expected signal: Sysmon Event ID 8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=explorer.exe, StartAddress=<LoadLibraryW_address>, StartModule=C:\Windows\System32\kernel32.dll, StartFunction=LoadLibraryW. Sysmon Event ID 7 (ImageLoad) in explorer.exe process showing version.dll load if not already present. Sysmon Event ID 10: GrantedAccess=0x1F0FFF from powershell.exe into explorer.exe.

  3. Test 3Linux LD_PRELOAD Injection to Intercept Display Library Functions

    Expected signal: Linux audit log (auditd): execve syscall for gcc compilation of the shared library. execve syscall for the LD_PRELOAD bash invocation with the environment variable set. syslog/auth.log: LD_PRELOAD environment variable may appear in process accounting. Sysmon for Linux (if deployed): EventCode 1 (Process Create) with CommandLine containing 'LD_PRELOAD' and the .so path. File creation events for /tmp/intercept_display.c and /tmp/intercept_display.so.

  4. Test 4Inline Function Hook (IAT Patch) in Running Process via PowerShell

    Expected signal: Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=notepad.exe, GrantedAccess=0x0410 (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ). Security Event ID 4688: powershell.exe execution with the command line. If AV is monitoring OpenProcess calls on non-EDR processes, an additional alert may fire from the security product.

Last updated: 2026-04-21 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1565.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1565Data Manipulation

Related Sub-techniques

T1565.001Stored Data ManipulationT1565.002Transmitted Data Manipulation

Related Techniques

T1565Data ManipulationT1565.001Stored Data ManipulationT1565.002Transmitted Data ManipulationT1055Process InjectionT1055.001Dynamic-link Library InjectionT1055.003Thread Execution HijackingT1574.001DLLT1546.001Change Default File AssociationT1036MasqueradingT1005Data from Local SystemT1190Exploit Public-Facing Application

Same Tactic: Impact

Popular Detections