Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0254: Detection Strategy of Transmitted Data Manipulation

DET0254 is a detection strategy object for Transmitted Data Manipulation, a related ATT&CK impact technique where data is altered while moving between syst...

EnterpriseDET0254Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0254 is a detection strategy object for Transmitted Data Manipulation, a related ATT&CK impact technique where data is altered while moving between systems or toward storage. The business significance is integrity: if transmitted data can be changed, leaders may make decisions from untrusted records, business processes may produce incorrect outcomes, and incident responders may lose confidence in evidence trails.

Executive priority

Treat this as an operational resilience and data-integrity priority rather than only a network monitoring issue. Executives should ask which high-value data flows drive financial, operational, compliance, or customer-facing decisions; whether those flows have integrity controls; and whether the SOC can prove when transmitted data was changed, replayed, or no longer matches the system of record. Because the ATT&CK detection strategy has no official detection text or platforms of its own, prioritization should be based on local critical processes and the related technique context: impact against Linux, macOS, and Windows environments.

Technical view

The supplied ATT&CK object provides no official description, detection logic, tactics, or platforms for DET0254, but it directly detects T1565.002 Transmitted Data Manipulation. SOC and IR teams should therefore validate coverage around integrity of data in transit and handoffs between systems, especially where Linux, macOS, or Windows systems participate in critical workflows. Useful validation should focus on whether teams can correlate sender, receiver, timestamp, transport path, process/service activity, and resulting data-state changes to identify unexpected modification between endpoints or before storage.

Likely telemetry

  • Network flow and session metadata for critical data paths
  • Application and service logs showing submitted, received, transformed, or stored records
  • Endpoint process, file, and inter-process communication logs on Linux, macOS, and Windows systems involved in data transfer
  • Authentication and authorization logs for systems or services that can alter transmitted data
  • Integrity evidence such as hashes, checksums, signatures, or reconciliation records where implemented

Detection direction

  • Map critical transmitted data flows first; without knowing expected sender-to-receiver behavior, detection will be noisy or incomplete.
  • Validate whether monitoring can compare what was sent, what was received, and what was stored for high-value workflows.
  • Tune for integrity anomalies rather than volume alone, including unexpected transformation, missing records, duplicate or replayed records, mismatched checksums, or unauthorized intermediate modification.
  • Correlate application-layer evidence with endpoint and network metadata; network visibility alone may not show manipulation if data is encrypted or transformed by legitimate middleware.
  • Review false positives from normal data normalization, format conversion, retries, queue reprocessing, and batch jobs before escalating as malicious manipulation.

Mitigation priorities

  • Prioritize inventory of business-critical data flows and identify where transmitted data affects decisions, compliance evidence, or operational outcomes.
  • Use integrity protections appropriate to the workflow, such as authenticated transport, signed messages, checksums, reconciliation, and tamper-evident logging where supported by the environment.
  • Restrict and audit accounts, services, and middleware that can modify data in transit or before storage.
  • Ensure endpoint, application, and storage logs are retained long enough to reconstruct sender-to-receiver-to-storage chains during incident response.
  • Build incident playbooks for suspected data-integrity compromise, including containment of affected services and validation of downstream business records.
Analyst notes and limits

This take is derived from the supplied ATT&CK detection strategy DET0254 and its relationship to T1565.002 Transmitted Data Manipulation. The decision value is in validating end-to-end integrity monitoring for business-critical data paths, because the related technique is categorized under impact and concerns manipulation of data en route to storage or other systems.

The DET0254 object has no official description, detection text, tactics, or platforms. Platform and tactic context comes only from the related technique T1565.002, which lists impact and Linux, macOS, and Windows. Local architecture, data-flow design, encryption, logging, and application behavior are required to turn this into deployable detection logic.

Official MITRE ATT&CK definition

Detection Strategy of Transmitted Data Manipulation

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1565.002 Transmitted Data Manipulation Sub-technique This object detects Transmitted Data Manipulation.
Relationship explorer

All related ATT&CK context

detects · Technique T1565.002: Transmitted Data Manipulation Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
670ef47eafe51e73...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 670ef47eafe5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0254
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use