T1565.003: Runtime Data Manipulation

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data. By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Adversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct Change Default File Association and Masquerading to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

vsphere_suspicious_user_activity: PT-CR-520: Reconfiguring_Protective_VM: A virtual machine with installed security software is reconfigured vsphere_suspicious_user_activity: PT-CR-519: Mass_Reconfiguring_Protective_VM: Multiple virtual machines with installed security software are reconfigured

Detection

ID	DS0022	Data source and component	File: File Modification	Description	Monitor for unexpected files with manipulated data in order to manipulate external outcomes or hide activity

ID	DS0022	Data source and component	File: File Deletion	Description	Monitor for unexpected deletion of a file in order to manipulate external outcomes or hide activity

ID	DS0009	Data source and component	Process: OS API Execution	Description	Monitor for API calls associated with altering data. Remote access tools with built-in features may interact directly with the Windows API to gather information.

ID	DS0022	Data source and component	File: File Metadata	Description	Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc that would aid in the manipulation of data to hide activity

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for newly constructed files in order to manipulate external outcomes or hide activity

ID	Data source and component	Description
DS0022	File: File Modification	Monitor for unexpected files with manipulated data in order to manipulate external outcomes or hide activity
DS0022	File: File Deletion	Monitor for unexpected deletion of a file in order to manipulate external outcomes or hide activity
DS0009	Process: OS API Execution	Monitor for API calls associated with altering data. Remote access tools with built-in features may interact directly with the Windows API to gather information.
DS0022	File: File Metadata	Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc that would aid in the manipulation of data to hide activity
DS0022	File: File Creation	Monitor for newly constructed files in order to manipulate external outcomes or hide activity

Mitigation

ID	M1022	Name	Restrict File and Directory Permissions	Description	Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code.

ID	M1030	Name	Network Segmentation	Description	Identify critical business and system processes that may be targeted by adversaries and work to isolate and secure those systems against unauthorized access and tampering.

ID	Name	Description
M1022	Restrict File and Directory Permissions	Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code.
M1030	Network Segmentation	Identify critical business and system processes that may be targeted by adversaries and work to isolate and secure those systems against unauthorized access and tampering.