Skip to content

DET0193 Detection Strategy for Stored Data Manipulation across OS Platforms.

Item Value
ID DET0193
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1565.001 (Stored Data Manipulation)

Analytics

Windows

AN0555

Identify unauthorized creation, deletion, or modification of business-critical stored data such as Office documents, database files, and log archives. Detect anomalous processes modifying stored data outside of expected workflows (e.g., non-database processes modifying database files).

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
File Deletion (DC0040) WinEventLog:Sysmon EventCode=23
File Metadata (DC0059) WinEventLog:Sysmon EventCode=15
File Modification (DC0061) WinEventLog:Security EventCode=4663, 4670, 4656
Mutable Elements
Field Description
MonitoredDirectories Paths to sensitive stored data files such as database directories or email archives.
AuthorizedProcesses List of legitimate processes expected to create, delete, or modify stored data.
TimeWindow Threshold for correlating multiple suspicious file operations within a short period.

Linux

AN0556

Detect suspicious file creation, modification, or deletion in stored data directories (e.g., /var/lib/mysql/, /var/log/, mail spools). Identify shell commands interacting directly with structured data files instead of legitimate database utilities.

Log Sources
Data Component Name Channel
File Creation (DC0039) auditd:SYSCALL open, unlink, rename: File creation or deletion involving critical stored data
File Modification (DC0061) auditd:SYSCALL write: Modification of structured stored data by suspicious processes
Mutable Elements
Field Description
WatchedPaths Environment-specific paths where business-critical stored data resides.
CommandExclusions Legitimate scripts/utilities excluded to minimize false positives.

macOS

AN0557

Monitor sensitive data files such as plist-based storage, mail archives, or Office files for unexpected modifications. Detect anomalous processes modifying stored data outside expected update cycles using FSEvents and Unified Logs.

Log Sources
Data Component Name Channel
File Modification (DC0061) macos:unifiedlog Unexpected creation or modification of stored data files in protected directories
File Deletion (DC0040) macos:osquery CREATE, DELETE, WRITE: Stored data manipulation attempts by unauthorized processes
Mutable Elements
Field Description
FileIntegrityBaseline Baseline hash values or metadata for stored data files to detect manipulation.
AllowedEditors Whitelisted applications permitted to update stored data (e.g., Outlook, MySQL).