1. Home
  2. ATT&CK Techniques
  3. T1565.001 Stored Data Manipulation

T1565.001 Stored Data Manipulation Mappings

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
intel-aes-ni Intel Advanced Encryption Standard - New Instructions Win 11, BitLocker T1565.001 Stored Data Manipulation
Comments
BitLocker uses TPM (Intel PTT) to bind the volume encryption keys for full disk encryption (FDE), Intel AES-NI to accelerate the encryption/decryption process, and Intel BootGuard to ensure operating system components are not compromised during boot. BitLocker also can add pre-boot authentication (like PIN) to access the decryption keys used for FDE. BitLocker relies on Intel BootGuard and the TPM (Intel PTT) to ensure none of the boot components or the OS components are tampered with before releasing the BitLocker key. BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker also uses Intel PTT to check integrity of early boot components, configuration data as well as OS components preventing attacks that perform modifications of those components. Data on the encrypted volume can't be accessed without entering the PIN if configured. TPMs (Intel PTT) also have anti-hammering protection that is designed to prevent brute force attacks that attempt to determine the PIN. BitLocker can protect against manipulation of stored data on the drive until it is unlocked.
References
  1. https://www.intel.com/content/www/us/en/developer/articles/technical/advanced-encryption-standard-instructions-aes-ni.html
  2. https://www.intel.com/content/dam/www/central-libraries/us/en/documents/white-paper-intel-hardware-shield.pdf
  3. https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/
  4. https://www.microsoft.com/content/dam/microsoft/final/en-us/microsoft-brand/documents/MSFT-Windows11-Security-book_Sept2023.pdf?msockid=13b4f945a67b6ac00039eda4a7a26b00
  5. https://www.intel.com/content/dam/www/central-libraries/us/en/documents/2022-05/intel-win11-solution-brief-book.pdf
  6. https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/countermeasures
  7. https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/