DET0059 Detection Strategy for Data Manipulation

Item	Value
ID	DET0059
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1565 (Data Manipulation)

Analytics

Windows

AN0162

Correlate unauthorized or anomalous file modifications, deletions, or metadata changes with suspicious process execution or API calls. Detect abnormal changes to structured data (e.g., database files, logs, financial records) outside expected business process activity.

Log Sources

Data Component	Name	Channel
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
File Modification (DC0061)	WinEventLog:Sysmon	EventCode=2
File Metadata (DC0059)	WinEventLog:Sysmon	EventCode=15
File Access (DC0055)	WinEventLog:Security	EventCode=4663, 4670, 4656

Mutable Elements

Field	Description
MonitoredFilePaths	List of critical data directories or files; environment-specific tuning required.
TimeWindow	Threshold for correlating process execution with rapid data changes.
AuthorizedProcesses	Expected processes permitted to modify business-critical data.

Linux

AN0163

Detect unauthorized manipulation of log files, database entries, or system configuration files through auditd and syslog. Correlate shell commands that alter HISTFILE or data-related processes with abnormal file access patterns.

Log Sources

Data Component	Name	Channel
File Modification (DC0061)	auditd:SYSCALL	open, unlink, rename: Suspicious file access, deletion, or modification of sensitive paths
Network Traffic Content (DC0085)	linux:syslog	Unexpected SQL or application log entries showing tampered or malformed data

Mutable Elements

Field	Description
WatchedDirectories	Specific log or data directories critical to integrity; tune per organization.
CommandExclusions	Legitimate scripts/tools excluded from data manipulation monitoring.

macOS

AN0164

Detect manipulation of system or application files in /Library, /System, or user data directories using FSEvents and Unified Logs. Identify anomalous process execution modifying plist files, structured data, or logs outside expected update cycles.

Log Sources

Data Component	Name	Channel
File Modification (DC0061)	macos:unifiedlog	Anomalous plist modifications or sensitive file overwrites by non-standard processes
OS API Execution (DC0021)	macos:osquery	open, execve: Unexpected processes accessing or modifying critical files

Mutable Elements

Field	Description
AllowedPlistEditors	Whitelisted processes authorized to modify plist or configuration files.
FileIntegrityBaseline	Baseline hash values for key files to support integrity validation.