Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0391: Detection Strategy for Runtime Data Manipulation.

DET0391 is a MITRE detection strategy object for Runtime Data Manipulation, which is related to ATT&CK technique T1565.003. The business issue is data inte...

EnterpriseDET0391Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0391 is a MITRE detection strategy object for Runtime Data Manipulation, which is related to ATT&CK technique T1565.003. The business issue is data integrity: if data is changed as it is accessed or displayed, leaders may make decisions based on false information even if the underlying system appears available. This matters most where displayed data drives approvals, financial activity, operations, reporting, or other business processes.

Executive priority

Treat this as an integrity and resilience question, not only a malware or endpoint question. Leaders should ask which critical applications and workflows rely on trusted runtime display or processing of data, whether those systems have integrity monitoring and change control evidence, and whether incident response can determine when users saw manipulated information. Because the supplied detection strategy has no official detection detail or platform list, priority should be based on local criticality of applications and the related ATT&CK technique’s supported platforms: Linux, macOS, and Windows.

Technical view

SOC, detection engineering, and IR teams should validate coverage around the related technique T1565.003: unauthorized modification of application binaries, unexpected changes to software components that render or transform data, suspicious process or file integrity changes around critical applications, and discrepancies between stored data and data presented to users. Since the DET0391 object does not provide official detection logic, teams should not assume coverage from ATT&CK alone; they should map local telemetry and controls to the runtime paths used by business-critical applications.

Likely telemetry

  • File integrity monitoring for application binaries, libraries, scripts, and configuration files
  • Endpoint process execution and parent-child process activity on Linux, macOS, and Windows systems supporting critical applications
  • Application logs showing data access, rendering, transformation, or transaction presentation events
  • Change management records for approved software updates and application component changes
  • EDR or host telemetry for unexpected writes to application directories or runtime components

Detection direction

  • Validate whether monitoring covers integrity changes to binaries and components used to access or display critical data.
  • Tune detections to distinguish approved application updates from unauthorized or out-of-window changes.
  • Correlate host-level modification events with application-layer anomalies, user reports, and business process exceptions.
  • Look for evidence of divergence between stored data and the information presented to end users, reports, or downstream workflows.
  • Account for blind spots where application logging records only the final displayed value and not the source data, transformation path, or rendering component.

Mitigation priorities

  • Identify business-critical applications where manipulated runtime data could affect decisions, transactions, operations, or compliance reporting.
  • Enforce controlled software change processes for application binaries, libraries, scripts, and configuration that affect data presentation or transformation.
  • Deploy or validate file integrity monitoring and endpoint telemetry on Linux, macOS, and Windows systems that support those applications.
  • Harden permissions so only authorized processes and administrators can modify application runtime components.
  • Preserve application, endpoint, and change-management evidence needed to reconstruct what data users actually saw during an incident.
Analyst notes and limits

This take is based on the DET0391 detection strategy object and its relationship to T1565.003 Runtime Data Manipulation. The related technique is in the impact tactic and applies to Linux, macOS, and Windows. The object itself has no official description, tactics, platforms, or detection content, so the practical guidance is framed as validation direction rather than a claim of MITRE-provided detection logic.

The supplied ATT&CK object is sparse: no official detection text, no object-level platforms, no tactics, and no aliases or labels. Local application architecture, logging depth, endpoint coverage, and change-control evidence are required to determine actual detection and response readiness. No active exploitation, attribution, or guaranteed detection coverage is implied.

Official MITRE ATT&CK definition

Detection Strategy for Runtime Data Manipulation.

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1565.003 Runtime Data Manipulation Sub-technique This object detects Runtime Data Manipulation.
Relationship explorer

All related ATT&CK context

detects · Technique T1565.003: Runtime Data Manipulation Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
564a81b97704c4a3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 564a81b97704…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0391
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use