Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0059: Detection Strategy for Data Manipulation

DET0059 is a detection strategy object for Data Manipulation (T1565), an impact behavior where adversaries may insert, delete, or alter data to affect busi...

EnterpriseDET0059Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0059 is a detection strategy object for Data Manipulation (T1565), an impact behavior where adversaries may insert, delete, or alter data to affect business processes, organizational understanding, decision-making, or to hide activity. The business significance is data integrity: if critical records, reports, transactions, or operational data can be changed without timely detection, leaders may make decisions from untrusted information and responders may lose confidence in evidence during an incident.

Executive priority

Treat this as a data-integrity and resilience question, not only a malware or endpoint question. Leaders should ask which business processes depend on high-integrity data, who can change that data, whether changes are independently logged, and whether the SOC or incident response team can prove what changed, when, and by whom. Because the related ATT&CK technique is under Impact, this also supports audit and compliance evidence around integrity monitoring, change accountability, privileged access, and incident reconstruction.

Technical view

The ATT&CK object itself does not provide a detailed official description or detection logic, so defenders should derive validation from the related technique: Data Manipulation (T1565), associated with the impact tactic and Linux, macOS, and Windows platforms. SOC and IR teams should confirm they can observe unauthorized or suspicious inserts, deletions, and modifications to important data stores, files, application records, and logs. Detection engineering should prioritize integrity-relevant events around sensitive datasets and business-critical applications rather than relying only on generic host compromise alerts.

Likely telemetry

  • File creation, modification, deletion, and permission-change events for high-value data locations
  • Database and application audit logs showing record insert, update, delete, and administrative actions
  • Identity and access logs tying data changes to users, service accounts, privileged accounts, and sessions
  • Endpoint and server logs from Linux, macOS, and Windows systems that host or process critical data
  • Change management records to compare expected business changes against observed data modifications

Detection direction

  • Validate that monitoring covers integrity changes to the specific datasets and systems that drive business decisions, not only operating system security events.
  • Tune detections to distinguish authorized business workflows, batch jobs, maintenance, and application service activity from unusual or unauthorized modifications.
  • Correlate data-change events with identity context, privilege level, source host, time of day, and approved change records.
  • Look for patterns of insertion, deletion, or modification that could influence outcomes or obscure activity, especially where changes affect reporting, transaction records, logs, or operational state.
  • Identify blind spots where applications or databases do not produce immutable or centrally collected audit trails.

Mitigation priorities

  • Prioritize strong access control and least privilege for systems and accounts that can alter business-critical data.
  • Enable and retain audit logging for sensitive data changes, administrative actions, and privileged sessions.
  • Use integrity monitoring, versioning, backups, and recovery procedures where unauthorized data alteration would create material business risk.
  • Separate duties between users who can change data and users who approve, review, or reconcile those changes.
  • Include data manipulation scenarios in incident response playbooks so teams can preserve evidence, identify the scope of changed data, and support business recovery decisions.
Analyst notes and limits

This take is based on the supplied detection strategy object DET0059 and its relationship to ATT&CK technique T1565 Data Manipulation. The detection strategy has no official description, no official detection text, no specified tactics, and no specified platforms of its own. The practical emphasis therefore comes from the related technique’s impact context and its stated concern with adversaries inserting, deleting, or manipulating data to affect processes, understanding, decisions, or conceal activity.

Coverage cannot be asserted from the supplied ATT&CK fields alone. Local system architecture, application logging, database auditing, identity context, retention, and change-management practices are required to determine whether Data Manipulation can be detected or investigated in a specific environment. No active exploitation, attribution, vendor coverage, or guaranteed detection is implied.

Official MITRE ATT&CK definition

Detection Strategy for Data Manipulation

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1565 Data Manipulation This object detects Data Manipulation.
Relationship explorer

All related ATT&CK context

detects · Technique T1565: Data Manipulation Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7303c30c413da7f3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7303c30c413d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0059
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use