Esc
Runtime Data Manipulation - T1565.003
(ATT&CK® Technique)
Definition
Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data. By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1565003["Runtime Data Manipulation"] --> |may-modify| ExecutableFile["Executable File"]; class T1565003 OffensiveTechniqueNode;
class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";
click T1565003 href "/offensive-technique/attack/T1565.003/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; ContentModification["Content Modification"] -->
| modifies | ExecutableFile["Executable File"];
ContentModification["Content Modification"] -.->
| may-isolate | T1565003["Runtime Data Manipulation"] ;
class ContentModification DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ContentModification href "/technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
| quarantines | ExecutableFile["Executable File"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1565003["Runtime Data Manipulation"] ;
class ContentQuarantine DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ContentQuarantine href "/technique/d3f:ContentQuarantine"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableFile["Executable File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1565003["Runtime Data Manipulation"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1565003["Runtime Data Manipulation"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1565003["Runtime Data Manipulation"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableFile["Executable File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1565003["Runtime Data Manipulation"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableFile["Executable File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1565003["Runtime Data Manipulation"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileEviction["File Eviction"] -->
| deletes | ExecutableFile["Executable File"];
FileEviction["File Eviction"] -.->
| may-evict | T1565003["Runtime Data Manipulation"] ;
class FileEviction DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1565003["Runtime Data Manipulation"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1565003["Runtime Data Manipulation"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableFile["Executable File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1565003["Runtime Data Manipulation"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | ExecutableFile["Executable File"];
RestoreFile["Restore File"] -.->
| may-restore | T1565003["Runtime Data Manipulation"] ;
class RestoreFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; ContentFiltering["Content Filtering"] -->
| filters | ExecutableFile["Executable File"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1565003["Runtime Data Manipulation"] ;
class ContentFiltering DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ContentFiltering href "/technique/d3f:ContentFiltering"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1565003["Runtime Data Manipulation"] ;
class FileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableFile["Executable File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1565003["Runtime Data Manipulation"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";