Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
Platforms
Mitigations (3)
Restrict File and Directory PermissionsM1022
Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk.
Remote Data StorageM1029
Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups.
Encrypt Sensitive InformationM1041
Consider encrypting important information to reduce an adversary’s ability to perform tailored data modifications.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.(Citatio... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S0562 | SUNSPOT | Malware | [SUNSPOT](https://attack.mitre.org/software/S0562) created a copy of the SolarWinds Orion software source file with a <code>.bk</code> extension to ba... |
| S1135 | MultiLayer Wiper | Malware | [MultiLayer Wiper](https://attack.mitre.org/software/S1135) changes the original path information of deleted files to make recovery efforts more diffi... |
References
- Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.
Frequently Asked Questions
What is T1565.001 (Stored Data Manipulation)?
T1565.001 is a MITRE ATT&CK technique named 'Stored Data Manipulation'. It belongs to the Impact tactic(s). Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citat...
How can T1565.001 be detected?
Detection of T1565.001 (Stored Data Manipulation) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1565.001?
There are 3 documented mitigations for T1565.001. Key mitigations include: Restrict File and Directory Permissions, Remote Data Storage, Encrypt Sensitive Information.
Which threat groups use T1565.001?
Known threat groups using T1565.001 include: APT38.