title: Runtime Data Manipulation (T1565.003)
id: df00tech-t1565-003
status: experimental
description: "Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, threatening the integrity of information presented at runtime. Unlike stored data manipulation which alters data at rest, runtime manipulation intercepts and alters data in memory or during processing before it reaches the display layer — allowing adversaries to show fraudulent information while persisting clean data on disk. APT38 demonstrated this with DYEPACK.FOX, which hooked PDF rendering to redact fraudulent SWIFT transaction records from operator views. Runtime manipulation typically requires process injection (CreateRemoteThread, WriteProcessMemory), DLL hijacking into display application processes, or API hooking of rendering or formatting functions. The technique is particularly dangerous in financial, SCADA, and operational technology environments where displayed data directly informs decisions."
references:
  - https://attack.mitre.org/techniques/T1565/003/
  - https://df00tech.com/detections/T1565.003
author: df00tech
date: 2026/04/21
tags:
  - attack.t1565.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "EDR and AV products (CrowdStrike Falcon, Carbon Black, Cylance) routinely inject monitoring DLLs into all running processes including document viewers — their DLL paths and signing certificates should be allowlisted"
  - "Accessibility software (JAWS, NVDA, ZoomText) legitimately hooks rendering APIs in PDF and Office applications to provide screen reader functionality"
  - Visual Studio debugger and tools like x64dbg/WinDbg attach to processes with full memory access rights during development and QA workflows
  - "PDF print spooler integrations and enterprise DRM solutions (Adobe LiveCycle, Workshare, Vera) inject into Acrobat to intercept document output"
  - "Screen recording and enterprise content monitoring tools (Panopto, Citrix UiPath, Teramind) use process injection to capture display output for compliance purposes"
level: high