Esc
Data Manipulation - T1565
(ATT&CK® Technique)
Definition
Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1565["Data Manipulation"] --> |may-modify| NetworkTraffic["Network Traffic"]; class T1565 OffensiveTechniqueNode;
class NetworkTraffic ArtifactNode; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic";
click T1565 href "/offensive-technique/attack/T1565/"; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic"; T1565["Data Manipulation"] --> |modifies| File["File"]; class T1565 OffensiveTechniqueNode;
class File ArtifactNode; click File href "/dao/artifact/d3f:File";
click T1565 href "/offensive-technique/attack/T1565/"; click File href "/dao/artifact/d3f:File"; T1565["Data Manipulation"] --> |may-modify| ExecutableFile["Executable File"]; class T1565 OffensiveTechniqueNode;
class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";
click T1565 href "/offensive-technique/attack/T1565/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | NetworkTraffic["Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1565["Data Manipulation"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | NetworkTraffic["Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1565["Data Manipulation"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | NetworkTraffic["Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1565["Data Manipulation"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1565["Data Manipulation"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | NetworkTraffic["Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1565["Data Manipulation"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1565["Data Manipulation"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1565["Data Manipulation"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1565["Data Manipulation"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; DecoyFile["Decoy File"] -->
| spoofs | File["File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1565["Data Manipulation"] ;
class DecoyFile DefensiveTechniqueNode;
class File ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableFile["Executable File"];
class DecoyFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | File["File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1565["Data Manipulation"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class File ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1565["Data Manipulation"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableFile["Executable File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEncryption["File Encryption"] -->
| encrypts | File["File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1565["Data Manipulation"] ;
class FileEncryption DefensiveTechniqueNode;
class File ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableFile["Executable File"];
class FileEncryption DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; ContentModification["Content Modification"] -->
| modifies | File["File"];
ContentModification["Content Modification"] -.->
| may-isolate | T1565["Data Manipulation"] ;
class ContentModification DefensiveTechniqueNode;
class File ArtifactNode;
click ContentModification href "/technique/d3f:ContentModification"; ContentModification["Content Modification"] -->
| modifies | ExecutableFile["Executable File"];
class ContentModification DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ContentModification href "/technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
| quarantines | File["File"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1565["Data Manipulation"] ;
class ContentQuarantine DefensiveTechniqueNode;
class File ArtifactNode;
click ContentQuarantine href "/technique/d3f:ContentQuarantine"; ContentQuarantine["Content Quarantine"] -->
| quarantines | ExecutableFile["Executable File"];
class ContentQuarantine DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ContentQuarantine href "/technique/d3f:ContentQuarantine"; FileEviction["File Eviction"] -->
| deletes | ExecutableFile["Executable File"];
FileEviction["File Eviction"] -.->
| may-evict | T1565["Data Manipulation"] ;
class FileEviction DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | File["File"];
class FileEviction DefensiveTechniqueNode;
class File ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1565["Data Manipulation"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1565["Data Manipulation"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; RestoreFile["Restore File"] -->
| restores | ExecutableFile["Executable File"];
RestoreFile["Restore File"] -.->
| may-restore | T1565["Data Manipulation"] ;
class RestoreFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | File["File"];
class RestoreFile DefensiveTechniqueNode;
class File ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableFile["Executable File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1565["Data Manipulation"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | File["File"];
class LocalFilePermissions DefensiveTechniqueNode;
class File ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | NetworkTraffic["Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1565["Data Manipulation"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; FileAnalysis["File Analysis"] -->
| analyzes | File["File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1565["Data Manipulation"] ;
class FileAnalysis DefensiveTechniqueNode;
class File ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
class FileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; ContentFiltering["Content Filtering"] -->
| filters | ExecutableFile["Executable File"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1565["Data Manipulation"] ;
class ContentFiltering DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ContentFiltering href "/technique/d3f:ContentFiltering"; ContentFiltering["Content Filtering"] -->
| filters | File["File"];
class ContentFiltering DefensiveTechniqueNode;
class File ArtifactNode;
click ContentFiltering href "/technique/d3f:ContentFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableFile["Executable File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1565["Data Manipulation"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | File["File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class File ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";