title: Stored Data Manipulation (T1565.001)
id: df00tech-t1565-001
status: experimental
description: "Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making. Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. Real-world examples include APT38's DYEPACK tool creating, deleting, and altering records in SWIFT banking transaction databases to obscure fraudulent transfers; the SUNSPOT implant (used in the SolarWinds supply chain compromise) that backed up original Orion source files with a .bk extension and wrote trojanized replacements under the original filename; and the MultiLayer Wiper used by Agrius that altered path metadata of deleted files to obstruct forensic recovery."
references:
  - https://attack.mitre.org/techniques/T1565/001/
  - https://df00tech.com/detections/T1565.001
author: df00tech
date: 2026/03/12
tags:
  - attack.t1565.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software deployment or configuration management tools (Ansible, Chef, Puppet, SCCM) that atomically replace configuration files by writing to a temp file and renaming — creates backup-like patterns with high file counts"
  - "Backup agents (Veeam, Veritas, Acronis, Windows Server Backup) that create .bak copies of databases or config files before snapshotting — triggers both the backup-replace and bulk modification patterns"
  - "Development CI/CD pipelines (GitHub Actions, Jenkins, GitLab CI) that generate, compile, and write multiple source code or config files in rapid succession during build steps"
  - Antivirus or DLP quarantine operations that move or rename files with modified extensions during remediation workflows
  - "Database maintenance scripts (index rebuilds, VACUUM, CHECKPOINT operations run by scripts) that write temporary files alongside primary database files"
  - "Document management systems (SharePoint sync, Dropbox, OneDrive) that batch-sync large numbers of Office documents during initial sync or conflict resolution"
level: high