title: Data Manipulation (T1565)
id: df00tech-t1565
status: experimental
description: "Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, threatening the integrity of the data. This technique encompasses three sub-techniques: Stored Data Manipulation (T1565.001), where adversaries directly alter files, databases, configuration data, or audit logs at rest; Transmitted Data Manipulation (T1565.002), where data is modified during transit via network interception or proxy manipulation; and Runtime Data Manipulation (T1565.003), where in-memory data structures or process state are altered during execution. Real-world examples include FIN13 (Elephant Beetle) injecting fraudulent financial transactions into compromised payment networks to incrementally siphon funds while mimicking legitimate processing behavior. Successful data manipulation campaigns often require prolonged access, domain-specific knowledge of the target system, and specialized tooling. The impact ranges from corrupted financial records and falsified audit trails to undermined operational decision-making and destroyed forensic evidence."
references:
  - https://attack.mitre.org/techniques/T1565/
  - https://df00tech.com/detections/T1565
author: df00tech
date: 2026/04/21
tags:
  - attack.t1565
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Backup software (Veeam, Commvault, Windows Server Backup, rsync) performing legitimate bulk file copies, database snapshots, or .bak file creation during scheduled backup windows"
  - "Database maintenance jobs — SQL Server maintenance plans, DBCC CHECKDB, SQLite VACUUM, or MySQL/PostgreSQL dump operations — that routinely create and modify .mdf, .ldf, .db, or .bak files"
  - "Software deployment and patch management systems (SCCM, Intune, Ansible, Chef) using PowerShell or cmd.exe to update configuration files, application databases, or perform bulk file operations during maintenance windows"
  - "Log aggregation and SIEM forwarding agents that archive, compress, or clear old Windows event logs as part of scheduled log rotation or log shipping workflows"
  - "CI/CD pipeline agents executing database schema migrations, bulk data seeding, or file generation steps via scripting engines during deployment runs"
level: high