Detect Data Manipulation in Microsoft Sentinel
Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, threatening the integrity of the data. This technique encompasses three sub-techniques: Stored Data Manipulation (T1565.001), where adversaries directly alter files, databases, configuration data, or audit logs at rest; Transmitted Data Manipulation (T1565.002), where data is modified during transit via network interception or proxy manipulation; and Runtime Data Manipulation (T1565.003), where in-memory data structures or process state are altered during execution. Real-world examples include FIN13 (Elephant Beetle) injecting fraudulent financial transactions into compromised payment networks to incrementally siphon funds while mimicking legitimate processing behavior. Successful data manipulation campaigns often require prolonged access, domain-specific knowledge of the target system, and specialized tooling. The impact ranges from corrupted financial records and falsified audit trails to undermined operational decision-making and destroyed forensic evidence.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1565 Data Manipulation
- Canonical reference
- https://attack.mitre.org/techniques/T1565/
KQL Detection Query
// T1565 — Data Manipulation
// Four-branch detection: audit log clearing, database file tampering,
// bulk file modification bursts, critical path tampering by unexpected processes
let ScriptingEngines = dynamic([
"powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "python.exe", "python3.exe", "perl.exe",
"php.exe", "node.exe", "ruby.exe", "bash", "sh"
]);
let DatabaseExtensions = dynamic(["mdf", "ldf", "db", "sqlite", "accdb", "mdb", "sql", "bak", "dbf", "frm"]);
let CriticalLogPaths = dynamic([
"\\windows\\system32\\winevt\\logs",
"\\inetpub\\logs",
"\\program files\\microsoft sql server",
"\\windows\\system32\\config"
]);
let LegitFileActors = dynamic([
"svchost.exe", "wininit.exe", "lsass.exe", "services.exe",
"csrss.exe", "MsMpEng.exe", "sqlservr.exe", "sqlagent.exe",
"taskhostw.exe", "TrustedInstaller.exe", "TiWorker.exe"
]);
// Branch 1: Windows Security/System Audit Log Cleared (Event ID 1102 = Security, 104 = System)
let AuditLogCleared = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (1102, 104)
| project Timestamp=TimeGenerated, DeviceName=Computer,
AccountName=strcat(SubjectDomainName, "\\", SubjectUserName),
ProcessName="wevtutil.exe / Windows Event Log",
CommandLine="N/A",
FilePath=iff(EventID == 1102, "Windows Security Event Log", "Windows System Event Log"),
Alert="AuditLogCleared",
AlertSeverity="Critical";
// Branch 2: Database file modified or created by scripting interpreter
let DatabaseTampering = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileModified", "FileCreated", "FileRenamed")
| extend FileExt = tolower(tostring(split(FileName, ".")[-1]))
| where FileExt in (DatabaseExtensions)
| where InitiatingProcessFileName has_any (ScriptingEngines)
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
ProcessName=InitiatingProcessFileName,
CommandLine=InitiatingProcessCommandLine,
FilePath=strcat(FolderPath, "\\", FileName),
Alert="DatabaseFileTampering",
AlertSeverity="High";
// Branch 3: Bulk file modification burst — single process modifies 80+ files across 3+ folders in 5 min
let BulkModification = DeviceFileEvents
| where Timestamp > ago(2h)
| where ActionType in ("FileModified", "FileCreated", "FileRenamed", "FileDeleted")
| summarize FileCount=count(),
FolderCount=dcount(FolderPath),
SampleFiles=make_set(FileName, 5),
CommandLine=any(InitiatingProcessCommandLine)
by DeviceName,
InitiatingProcessFileName,
InitiatingProcessAccountName,
TimeBin=bin(Timestamp, 5m)
| where FileCount > 80 and FolderCount >= 3
| project Timestamp=TimeBin, DeviceName,
AccountName=InitiatingProcessAccountName,
ProcessName=InitiatingProcessFileName,
CommandLine,
FilePath=strcat("BulkOp (", tostring(FileCount), " files): ", tostring(SampleFiles)),
Alert="BulkFileModification",
AlertSeverity="Medium";
// Branch 4: Critical system/log path file modification by unexpected process
let CriticalPathTampering = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileModified", "FileDeleted", "FileRenamed")
| where FolderPath has_any (CriticalLogPaths)
| where InitiatingProcessFileName !in~ (LegitFileActors)
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
ProcessName=InitiatingProcessFileName,
CommandLine=InitiatingProcessCommandLine,
FilePath=strcat(FolderPath, "\\", FileName),
Alert="CriticalPathTampering",
AlertSeverity="High";
// Union all branches into single alert stream
union AuditLogCleared, DatabaseTampering, BulkModification, CriticalPathTampering
| project Timestamp, DeviceName, AccountName, ProcessName, CommandLine,
Alert, AlertSeverity, FilePath
| sort by Timestamp descDetects data manipulation activity using four detection branches unified into a single alert stream. Branch 1 catches Windows Security (Event ID 1102) and System (Event ID 104) event log clearing — a critical indicator of adversary evidence destruction. Branch 2 identifies database files (.mdf, .ldf, .db, .sqlite, .accdb, and others) being created or modified by scripting engines (PowerShell, Python, wscript, etc.), suggesting automated record injection or corruption. Branch 3 flags bulk file modification bursts where a single process modifies more than 80 files across 3+ distinct folders within a 5-minute window, consistent with automated data falsification or ransomware-like tampering. Branch 4 detects non-standard processes modifying files in critical system paths (Windows event log directories, IIS logs, SQL Server data directories, Windows\System32\config). Queries DeviceFileEvents from Microsoft Defender for Endpoint and SecurityEvent from Windows Security logs.
Data Sources
Required Tables
False Positives & Tuning
- Backup software (Veeam, Commvault, Windows Server Backup, rsync) performing legitimate bulk file copies, database snapshots, or .bak file creation during scheduled backup windows
- Database maintenance jobs — SQL Server maintenance plans, DBCC CHECKDB, SQLite VACUUM, or MySQL/PostgreSQL dump operations — that routinely create and modify .mdf, .ldf, .db, or .bak files
- Software deployment and patch management systems (SCCM, Intune, Ansible, Chef) using PowerShell or cmd.exe to update configuration files, application databases, or perform bulk file operations during maintenance windows
- Log aggregation and SIEM forwarding agents that archive, compress, or clear old Windows event logs as part of scheduled log rotation or log shipping workflows
- CI/CD pipeline agents executing database schema migrations, bulk data seeding, or file generation steps via scripting engines during deployment runs
Other platforms for T1565
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Clear Windows Security Event Log
Expected signal: Security Event ID 1102 logged in the Security log immediately before clearing, capturing SubjectUserName and SubjectDomainName of the clearing account. Sysmon Event ID 1 (Process Create) showing wevtutil.exe execution with CommandLine 'cl Security'. Note: the Security log itself will be empty after execution — collect artifacts from SIEM/forwarded logs.
- Test 2Inject Fraudulent Record into SQLite Database via Python
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing sqlite3 and INSERT. Sysmon Event ID 11: FileCreate event for test_ledger.db in %TEMP% with python.exe as the initiating process. DeviceFileEvents: ActionType=FileCreated or FileModified, FileName=test_ledger.db, InitiatingProcessFileName=python.exe.
- Test 3Bulk File Content Modification Simulating Data Falsification
Expected signal: Multiple Sysmon Event ID 11 (FileCreate) events in rapid succession with powershell.exe as the initiating process, spanning 4 different subdirectories. DeviceFileEvents will show 100+ FileModified/FileCreated events from powershell.exe across 4+ distinct FolderPath values within a 5-minute window.
- Test 4Tamper with IIS/Web Application Log File via PowerShell
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename matching u_ex260318.log, Image=powershell.exe. DeviceFileEvents: ActionType=FileCreated or FileModified, FileName containing IIS log naming convention, InitiatingProcessFileName=powershell.exe. The file path does not match the real IIS log directory but demonstrates the process-level signal.
References (12)
- https://attack.mitre.org/techniques/T1565/
- https://attack.mitre.org/techniques/T1565/001/
- https://attack.mitre.org/techniques/T1565/002/
- https://attack.mitre.org/techniques/T1565/003/
- https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1565/T1565.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file
- https://www.cisa.gov/sites/default/files/2024-01/CISA_Techniques_for_Detecting_Data_Tampering.pdf
- https://www.mandiant.com/resources/blog/fin13-elephant-beetle-targeted-financial-frauds
Unlock Pro Content
Get the full detection package for T1565 including response playbook, investigation guide, and atomic red team tests.