T1565.001: Stored Data Manipulation
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.[1][2] By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
Analyst context for executives and security teams
Stored Data Manipulation is an integrity risk: an adversary changes data at rest so the organization, its customers, or its systems make decisions from false records. This matters beyond file tampering because the affected data may be Office files, databases, stored email, logs, or custom business formats that drive reporting, financial processes, investigations, or operational decisions.
Executive priority
Treat this as a business process and evidence-integrity problem, not only an endpoint issue. Leaders should ask which stored data sets are decision-critical, who can modify them, whether changes are independently logged off-host, and how the organization would prove record integrity during an incident, audit, or dispute. Priority should go to high-value repositories where unauthorized modification could disrupt operations, conceal activity, or mislead management decisions.
Technical view
This enterprise ATT&CK sub-technique applies to Linux, macOS, and Windows under the Impact tactic and is a sub-technique of Data Manipulation. MITRE provides no official detection text, but the relationship set includes DET0193, a detection strategy for Stored Data Manipulation across OS platforms. SOC and IR teams should validate monitoring around unauthorized or unusual changes to sensitive files, databases, stored emails, custom data formats, and integrity-relevant metadata. Review access paths and write permissions, then correlate modification events with authenticated user context, process execution, administrative activity, and remote storage or centralized log evidence where available.
Likely telemetry
- File creation, deletion, modification, rename, permission, ownership, and timestamp-change events on sensitive directories
- Database change logs or audit records for critical tables and records
- Email store or collaboration repository audit logs where stored messages or files can be modified
- Endpoint process and user context associated with writes to protected or business-critical data
- Centralized or remote log storage records that can preserve evidence if local data is altered
Detection direction
- Start by defining the data sets where integrity matters most; generic file-change alerting will be noisy without business context.
- Validate coverage across Linux, macOS, and Windows systems that store sensitive or process-critical data.
- Tune for unauthorized writes, unexpected bulk edits or deletes, changes by unusual accounts or processes, and modification of data that normally has stable ownership or limited update patterns.
- Use off-host or centralized logging where possible so local tampering does not erase the only evidence source.
- Account for legitimate administrative, application, backup, migration, and maintenance activity to reduce false positives.
Mitigation priorities
- Restrict file and directory permissions so only required users, groups, and processes can modify sensitive stored data.
- Use remote or centralized storage for critical logs and sensitive evidence so local compromise is less likely to remove or alter all records.
- Encrypt sensitive information where appropriate to support confidentiality and integrity protections for data at rest, in transit, and during processing.
- Prioritize least privilege and independent auditability for repositories that support financial, operational, investigative, or compliance decisions.
- Test recovery and validation procedures so teams can identify what changed and restore trusted data after suspected manipulation.
Analyst notes and limits
Relationship context shows mitigations M1022 Restrict File and Directory Permissions, M1029 Remote Data Storage, and M1041 Encrypt Sensitive Information. It also shows software relationships for SUNSPOT and MultiLayer Wiper, but those relationships should be used only as context that the behavior has been modeled in ATT&CK, not as evidence of current activity in any environment.
MITRE does not provide official detection text for this object in the supplied fields. The impact of this technique depends heavily on the local application, data format, permissions model, and business process. Confirm actual telemetry, repository ownership, and integrity requirements before making coverage or risk claims.
Stored Data Manipulation
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.[1][2] By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1565 | Data Manipulation | This object subtechnique of Data Manipulation. |
| Enterprise | T1492 | Stored Data Manipulation | Stored Data Manipulation revoked by this object. |
Groups, software, and campaigns
G0082: APT38
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[1] Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext [2] and Banco de Chile [2]; some of their attacks have been destructive.[1][2][3][4]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
S0562: SUNSPOT
S1135: MultiLayer Wiper
MultiLayer Wiper is wiper malware written in .NET associated with Agrius operations. Observed samples of MultiLayer Wiper have an anomalous, future compilation date suggesting possible metadata manipulation.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | eb547ee78f6d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT38 Oct 2018
FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.
Open source URL -
[2]
DOJ Lazarus Sony 2018
Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
Open source URL -
[3]
mitre-attack T1565.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.