T1565 Splunk · SPL

Detect Data Manipulation in Splunk

Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, threatening the integrity of the data. This technique encompasses three sub-techniques: Stored Data Manipulation (T1565.001), where adversaries directly alter files, databases, configuration data, or audit logs at rest; Transmitted Data Manipulation (T1565.002), where data is modified during transit via network interception or proxy manipulation; and Runtime Data Manipulation (T1565.003), where in-memory data structures or process state are altered during execution. Real-world examples include FIN13 (Elephant Beetle) injecting fraudulent financial transactions into compromised payment networks to incrementally siphon funds while mimicking legitimate processing behavior. Successful data manipulation campaigns often require prolonged access, domain-specific knowledge of the target system, and specialized tooling. The impact ranges from corrupted financial records and falsified audit trails to undermined operational decision-making and destroyed forensic evidence.

MITRE ATT&CK

Tactic
Impact
Technique
T1565 Data Manipulation
Canonical reference
https://attack.mitre.org/techniques/T1565/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog
    ((sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11)
    OR (sourcetype="WinEventLog:Security" (EventCode=1102 OR EventCode=104)))
| eval TargetFile=coalesce(TargetFilename, "Windows Event Log")
| eval FileExt=lower(mvindex(split(TargetFile, "."), -1))
| eval IsDbFile=if(match(FileExt,"^(mdf|ldf|db|sqlite|accdb|mdb|sql|bak|dbf|frm)$"), 1, 0)
| eval IsCriticalPath=if(match(lower(TargetFile),
    "(\\\\windows\\\\system32\\\\winevt\\\\logs|\\\\inetpub\\\\logs|\\\\program files\\\\microsoft sql server|\\\\windows\\\\system32\\\\config)"), 1, 0)
| eval IsScriptingEngine=if(match(lower(coalesce(Image, "")),
    "(powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python[23]?\.exe|perl\.exe|bash$|sh$|node\.exe|php\.exe|ruby\.exe|cmd\.exe)"), 1, 0)
| eval IsLegitProcess=if(match(lower(coalesce(Image, "")),
    "(svchost\.exe|wininit\.exe|lsass\.exe|services\.exe|sqlservr\.exe|sqlagent\.exe|msmpeng\.exe|csrss\.exe|trustedinstaller\.exe|tiworker\.exe)"), 1, 0)
| eval AlertType=case(
    EventCode=1102 OR EventCode=104, "AuditLogCleared",
    IsDbFile=1 AND IsScriptingEngine=1, "DatabaseFileTampering",
    IsCriticalPath=1 AND IsLegitProcess=0, "CriticalPathTampering",
    1=1, null()
  )
| where isnotnull(AlertType)
| eval AlertSeverity=case(
    AlertType="AuditLogCleared", "Critical",
    AlertType="DatabaseFileTampering" OR AlertType="CriticalPathTampering", "High",
    1=1, "Medium"
  )
| eval AccountName=coalesce(User, SubjectUserName, "unknown")
| eval ProcessImage=coalesce(Image, "Windows Event Log Service")
| table _time, host, AccountName, ProcessImage, CommandLine, AlertType, AlertSeverity, TargetFile
| sort - _time
| appendcols
    [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 earliest=-2h latest=now
    | stats count as FileCount, dc(TargetFilename) as UniqueFolders,
             values(eval(mvindex(split(TargetFilename,"\\"), -1))) as SampleFiles,
             values(CommandLine) as CommandLines
             by host, User, Image, span(_time, 5m)
    | where FileCount > 80 AND UniqueFolders >= 3
    | eval AlertType="BulkFileModification", AlertSeverity="Medium"
    | eval AccountName=User, ProcessImage=Image
    | eval TargetFile=mvjoin(mvindex(SampleFiles, 0, 4), ", ")
    | table _time, host, AccountName, ProcessImage, CommandLines, AlertType, AlertSeverity, TargetFile]
high severity medium confidence

Detects data manipulation activity using Sysmon Event ID 11 (FileCreate) and Windows Security Event IDs 1102/104 (log clearing). The primary search classifies events into three alert types using eval/case logic: AuditLogCleared (Security/System log cleared), DatabaseFileTampering (database file extensions created or written by scripting engines), and CriticalPathTampering (modifications to Windows event log directories, IIS logs, SQL Server paths, or system config paths by non-standard processes). An appended subsearch performs a 5-minute windowed aggregation to detect bulk file modification bursts (>80 files across 3+ paths in 5 minutes) indicative of automated data falsification. All branches are returned in a unified table sorted by recency.

Data Sources

File: File CreationFile: File ModificationWindows: Security Event LogSysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Backup software performing legitimate bulk file operations or database snapshot creation during scheduled backup windows — filter by known backup service accounts and parent processes (e.g., VeeamAgent.exe, BackupExec.exe)
  • Database maintenance scripts (SQL Server maintenance plans, VACUUM in SQLite) that legitimately create and overwrite .bak, .mdf, or .db files — allowlist known DBA service accounts and maintenance job paths
  • SCCM or Intune deployment scripts executing via cmd.exe or PowerShell to update application databases or bulk-copy configuration files — filter by SCCM agent parent process (CcmExec.exe)
  • Automated log archiving tools or SIEM agents clearing forwarded Windows event logs after successful shipping to prevent disk exhaustion
  • Developer workstations running database migration frameworks (Flyway, Liquibase, EF Core) via Python or Node that legitimately write .db or .sql files during development
Download portable Sigma rule (.yml)

Other platforms for T1565

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Clear Windows Security Event Log

    Expected signal: Security Event ID 1102 logged in the Security log immediately before clearing, capturing SubjectUserName and SubjectDomainName of the clearing account. Sysmon Event ID 1 (Process Create) showing wevtutil.exe execution with CommandLine 'cl Security'. Note: the Security log itself will be empty after execution — collect artifacts from SIEM/forwarded logs.

  2. Test 2Inject Fraudulent Record into SQLite Database via Python

    Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing sqlite3 and INSERT. Sysmon Event ID 11: FileCreate event for test_ledger.db in %TEMP% with python.exe as the initiating process. DeviceFileEvents: ActionType=FileCreated or FileModified, FileName=test_ledger.db, InitiatingProcessFileName=python.exe.

  3. Test 3Bulk File Content Modification Simulating Data Falsification

    Expected signal: Multiple Sysmon Event ID 11 (FileCreate) events in rapid succession with powershell.exe as the initiating process, spanning 4 different subdirectories. DeviceFileEvents will show 100+ FileModified/FileCreated events from powershell.exe across 4+ distinct FolderPath values within a 5-minute window.

  4. Test 4Tamper with IIS/Web Application Log File via PowerShell

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename matching u_ex260318.log, Image=powershell.exe. DeviceFileEvents: ActionType=FileCreated or FileModified, FileName containing IIS log naming convention, InitiatingProcessFileName=powershell.exe. The file path does not match the real IIS log directory but demonstrates the process-level signal.

Last updated: 2026-04-21 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1565 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1565.001Stored Data ManipulationT1565.002Transmitted Data ManipulationT1565.003Runtime Data ManipulationT1070.001Clear Windows Event LogsT1070.004File DeletionT1003.003NTDST1485Data DestructionT1486Data Encrypted for ImpactT1560Archive Collected DataT1036MasqueradingT1059.001PowerShell

Same Tactic: Impact

Popular Detections