Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0193: Detection Strategy for Stored Data Manipulation across OS Platforms.

DET0193 is a MITRE detection strategy object for detecting Stored Data Manipulation, an ATT&CK Impact technique where adversaries alter data at rest to aff...

EnterpriseDET0193Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0193 is a MITRE detection strategy object for detecting Stored Data Manipulation, an ATT&CK Impact technique where adversaries alter data at rest to affect business processes, organizational understanding, or decision-making. The practical risk is not just file tampering; it is loss of trust in records such as documents, databases, stored email, or custom business data that executives and operations teams rely on.

Executive priority

Treat this as a data integrity and resilience issue. Leaders should ask which business-critical records would create operational, financial, legal, or safety consequences if silently changed, deleted, or falsified. The priority is to validate whether SOC, incident response, backup, audit, and application teams can prove what changed, when it changed, who or what changed it, and whether trustworthy recovery points exist.

Technical view

The supplied detection strategy has no official ATT&CK detection text and no platforms listed on the strategy object itself. Its relationship points to T1565.001 Stored Data Manipulation, which is an Impact technique associated with Linux, macOS, and Windows. SOC and IR teams should therefore validate integrity monitoring and investigation workflows around data-at-rest changes, especially for Office files, databases, stored emails, and custom file formats referenced by the related technique. Detection should focus on unauthorized or anomalous insert, delete, or modification activity against high-value stored data, correlated with identity, process, host, application, and backup/audit evidence where available.

Likely telemetry

  • File creation, modification, deletion, rename, and permission-change events for critical repositories
  • Database audit logs for inserts, updates, deletes, schema changes, and privileged activity
  • Email store or collaboration platform audit logs for message or mailbox content changes where applicable
  • Endpoint process and user context associated with data modification events
  • Authentication and authorization logs tying changes to users, service accounts, or automation

Detection direction

  • Start with business-critical data sets rather than broad file-change alerting; high-volume generic modification events can create substantial false positives.
  • Validate that detections distinguish expected business processes, maintenance jobs, application writes, and administrative activity from unusual modification patterns.
  • Correlate data changes with identity and process context to support incident decisions, not just alert on the existence of a changed file or record.
  • Prioritize monitoring for mass changes, changes outside normal workflows, changes by unusual accounts, and changes to records that drive reporting, payments, operations, or compliance evidence.
  • Account for blind spots where stored data is changed through applications, databases, synchronization tools, or custom formats rather than direct file-system access.

Mitigation priorities

  • Identify and tier business-critical stored data whose integrity matters to operations, reporting, compliance, or recovery.
  • Ensure least-privilege access, separation of duties, and strong authentication for users and services that can modify critical data.
  • Enable audit logging and retention for critical file stores, databases, email stores, and applications that maintain data at rest.
  • Use integrity validation, versioning, backups, snapshots, or other recovery mechanisms sufficient to prove and restore trusted state.
  • Test incident response procedures for suspected data manipulation, including scoping, evidence preservation, business-owner validation, and recovery decision points.
Analyst notes and limits

This take is based on DET0193 and its relationship to T1565.001 Stored Data Manipulation. The detection strategy object itself does not include an official description, official detection guidance, tactics, or platforms; the related technique supplies the Impact context and Linux, macOS, and Windows platform association. Local architecture, data ownership, application behavior, and logging configuration will determine practical coverage.

No active exploitation, attribution, specific tool behavior, vendor technology, or guaranteed detection coverage is supplied by the provided ATT&CK fields. The relationship description is truncated in the source material, so recommendations are limited to the visible official fields and relationship context.

Official MITRE ATT&CK definition

Detection Strategy for Stored Data Manipulation across OS Platforms.

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1565.001 Stored Data Manipulation Sub-technique This object detects Stored Data Manipulation.
Relationship explorer

All related ATT&CK context

detects · Technique T1565.001: Stored Data Manipulation Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6f8bcd47313008d3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6f8bcd473130…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0193
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use