title: Transmitted Data Manipulation (T1565.002)
id: df00tech-t1565-002
status: experimental
description: "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, threatening data integrity. Manipulation may occur over network connections or between system processes, including intercepting clipboard contents to replace cryptocurrency addresses (crypto-clipping), modifying financial wire transfer messages such as SWIFT transactions, or altering email content during transit. Real-world examples include APT38 using DYEPACK to manipulate SWIFT messages, LightNeuron modifying Exchange email content in-flight, and commodity banking trojans Melcoz and Metamorfo silently replacing copied wallet addresses. This technique typically requires prolonged access and specialized knowledge of the target transmission mechanism."
references:
  - https://attack.mitre.org/techniques/T1565/002/
  - https://df00tech.com/detections/T1565.002
author: df00tech
date: 2026/03/12
tags:
  - attack.t1565.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Clipboard manager software (Ditto, ClipboardFusion, CopyQ) legitimately reads and writes clipboard data at high frequency and will trigger the ClipboardHijack pattern"
  - "Password managers (KeePass, 1Password, Bitwarden) that copy credentials to the clipboard will match clipboard access patterns"
  - "IT administrators configuring netsh portproxy for legitimate port forwarding, NAT traversal, or IPv4-to-IPv6 translation in lab or jump-host environments"
  - "Endpoint security vendors that install NDIS filter drivers for network traffic inspection (Palo Alto Cortex XDR, Symantec, CrowdStrike network filter components) will trigger the kernel driver installation pattern"
  - "VPN clients (Cisco AnyConnect, Palo Alto GlobalProtect) and remote desktop tools that install virtual network adapter drivers with Type=SERVICE_KERNEL_DRIVER"
  - "Automated UI testing frameworks (Playwright, Selenium, AutoIt) that programmatically interact with clipboard in CI/CD test environments"
level: high