Detect Runtime Data Manipulation in Splunk
Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, threatening the integrity of information presented at runtime. Unlike stored data manipulation which alters data at rest, runtime manipulation intercepts and alters data in memory or during processing before it reaches the display layer — allowing adversaries to show fraudulent information while persisting clean data on disk. APT38 demonstrated this with DYEPACK.FOX, which hooked PDF rendering to redact fraudulent SWIFT transaction records from operator views. Runtime manipulation typically requires process injection (CreateRemoteThread, WriteProcessMemory), DLL hijacking into display application processes, or API hooking of rendering or formatting functions. The technique is particularly dangerous in financial, SCADA, and operational technology environments where displayed data directly informs decisions.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1565 Data Manipulation
- Sub-technique
- T1565.003 Runtime Data Manipulation
- Canonical reference
- https://attack.mitre.org/techniques/T1565/003/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(
(
EventCode=8
(
TargetImage="*\\acrord32.exe" OR TargetImage="*\\acrobat.exe" OR
TargetImage="*\\foxitreader.exe" OR TargetImage="*\\sumatrapdf.exe" OR
TargetImage="*\\excel.exe" OR TargetImage="*\\winword.exe" OR
TargetImage="*\\powerpnt.exe" OR TargetImage="*\\outlook.exe" OR
TargetImage="*\\explorer.exe" OR TargetImage="*\\mmc.exe"
)
)
OR
(
EventCode=10
(
TargetImage="*\\acrord32.exe" OR TargetImage="*\\acrobat.exe" OR
TargetImage="*\\foxitreader.exe" OR TargetImage="*\\excel.exe" OR
TargetImage="*\\winword.exe" OR TargetImage="*\\outlook.exe"
)
(
SourceImage="*\\powershell.exe" OR SourceImage="*\\pwsh.exe" OR
SourceImage="*\\cmd.exe" OR SourceImage="*\\wscript.exe" OR
SourceImage="*\\cscript.exe" OR SourceImage="*\\mshta.exe" OR
SourceImage="*\\rundll32.exe" OR SourceImage="*\\regsvr32.exe"
)
)
OR
(
EventCode=7
(
Image="*\\acrord32.exe" OR Image="*\\acrobat.exe" OR
Image="*\\foxitreader.exe" OR Image="*\\excel.exe" OR
Image="*\\winword.exe"
)
NOT (
ImageLoaded="*\\Windows\\*" OR ImageLoaded="*\\Program Files\\Adobe\\*" OR
ImageLoaded="*\\Program Files\\Foxit\\*" OR ImageLoaded="*\\Program Files\\Microsoft Office\\*" OR
ImageLoaded="*\\Program Files (x86)\\Microsoft Office\\*" OR
Signed="true"
)
)
)
| eval EventType=case(
EventCode="8", "RemoteThreadInjection",
EventCode="10", "SuspiciousProcessAccess",
EventCode="7", "UnexpectedDllLoad",
true(), "Unknown"
)
| eval TargetProc=coalesce(TargetImage, Image)
| eval SourceProc=coalesce(SourceImage, "N/A")
| eval GrantedAccessHex=coalesce(GrantedAccess, "N/A")
| eval IsWriteAccess=if(match(GrantedAccessHex, "(1F0FFF|001F|0028|0020)"), 1, 0)
| eval RiskScore=case(
EventCode="8", 3,
EventCode="10" AND IsWriteAccess=1, 2,
EventCode="10" AND IsWriteAccess=0, 1,
EventCode="7", 2,
true(), 1
)
| table _time, host, User, EventType, EventCode, TargetProc, SourceProc, GrantedAccessHex, IsWriteAccess, RiskScore, StartAddress, StartModule, ImageLoaded
| sort - RiskScore, _timeDetects runtime data manipulation mechanisms using Sysmon event telemetry across three complementary event types: EventCode 8 (CreateRemoteThread) catches thread injection into display/document applications regardless of source process; EventCode 10 (ProcessAccess) catches suspicious processes — scripting engines and LOLBins — opening document viewer processes with potentially write-level access; EventCode 7 (ImageLoad) catches unsigned or out-of-path DLLs loading into document viewer processes. A RiskScore field helps analysts prioritize: remote thread injection scores highest (3), memory write access scores (2), unexpected DLL loads score (2), and read-only process access scores (1).
Data Sources
Required Sourcetypes
False Positives & Tuning
- EDR and AV products routinely inject monitoring threads and DLLs into all processes — their installer paths and digital signatures should be excluded via the Signed=true filter or allowlisted by SourceImage
- Accessibility software (JAWS screen reader, ZoomText) attaches to document viewer processes to intercept rendering APIs for visually impaired users
- Microsoft IntelliType, Wacom tablet drivers, and similar peripheral software inject into processes to provide input handling functionality
- Enterprise DLP and content inspection agents (Symantec DLP, Forcepoint, Nightfall) legitimately hook into Office and PDF processes to intercept document content for policy enforcement
- PDF printer drivers and virtual printer integrations inject into Acrobat/reader processes to intercept print spooler output
Other platforms for T1565.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CreateRemoteThread Injection into Notepad (Windows Shellcode Proxy)
Expected signal: Sysmon Event ID 8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=notepad.exe, StartAddress=<allocated_address>, StartModule='' (empty — shellcode, not DLL). Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=notepad.exe, GrantedAccess=0x1F0FFF. Security Event ID 4688: powershell.exe process creation with the injection command line.
- Test 2DLL Injection via LoadLibrary into Explorer (Reflective Load Simulation)
Expected signal: Sysmon Event ID 8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=explorer.exe, StartAddress=<LoadLibraryW_address>, StartModule=C:\Windows\System32\kernel32.dll, StartFunction=LoadLibraryW. Sysmon Event ID 7 (ImageLoad) in explorer.exe process showing version.dll load if not already present. Sysmon Event ID 10: GrantedAccess=0x1F0FFF from powershell.exe into explorer.exe.
- Test 3Linux LD_PRELOAD Injection to Intercept Display Library Functions
Expected signal: Linux audit log (auditd): execve syscall for gcc compilation of the shared library. execve syscall for the LD_PRELOAD bash invocation with the environment variable set. syslog/auth.log: LD_PRELOAD environment variable may appear in process accounting. Sysmon for Linux (if deployed): EventCode 1 (Process Create) with CommandLine containing 'LD_PRELOAD' and the .so path. File creation events for /tmp/intercept_display.c and /tmp/intercept_display.so.
- Test 4Inline Function Hook (IAT Patch) in Running Process via PowerShell
Expected signal: Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=notepad.exe, GrantedAccess=0x0410 (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ). Security Event ID 4688: powershell.exe execution with the command line. If AV is monitoring OpenProcess calls on non-EDR processes, an additional alert may fire from the security product.
References (10)
- https://attack.mitre.org/techniques/T1565/003/
- https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
- https://www.justice.gov/opa/press-release/file/1092091/download
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceimageloadevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md
- https://www.elastic.co/security-labs/detecting-process-injection-with-windows-defender-atp
- https://www.ired.team/offensive-security/code-injection-process-injection/import-adress-table-iat-hooking
- https://man7.org/linux/man-pages/man8/ld.so.8.html
Unlock Pro Content
Get the full detection package for T1565.003 including response playbook, investigation guide, and atomic red team tests.