存储数据操作

对手可能会插入，删除或操纵静态数据，以便操纵外部结果或隐藏活动。通过操纵存储的数据，对手可能会尝试影响业务流程，组织理解和决策。

存储的数据可以包括多种文件格式，例如Office文件，数据库，存储的电子邮件和自定义文件格式。修改的类型及其所产生的影响取决于数据的类型以及对手的目的和目标。对于复杂的系统，对手可能需要特殊的专业知识，并且可能需要访问与该系统相关的专用软件，这通常是通过长时间的信息收集活动来获得的，以产生所需的影响。

Stored Data Manipulation

Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

标签

ID编号： T1492

策略： 影响

平台： Linux，macOS，Windows

所需权限： user，administrator，root，SYSTEM

数据源： 应用程序日志，文件监视

影响类型： 完整性

程序示例

名称	描述
APT38 (G0082)	APT38已使用DYEPACK在用于SWIFT事务的数据库中创建，删除和更改记录。
FIN4 (G0085)	FIN4已在受害者的Microsoft Outlook帐户中创建了规则，以自动删除包含诸如“被黑客入侵”，“网络钓鱼”和“恶意软件”之类的单词的电子邮件，这很可能是为了阻止组织就其活动进行交流。

Name	Description
APT38 (G0082)	APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.
FIN4 (G0085)	FIN4 has created rules in victims' Microsoft Outlook accounts to automatically delete emails containing words such as “hacked," "phish," and “malware" in a likely attempt to prevent organizations from communicating about their activities.

缓解措施

缓解	描述
加密敏感信息(M1041)	考虑对重要信息进行加密，以降低对手执行定制数据修改的能力。
远程数据存储(M1029)	考虑实施IT灾难恢复计划，其中包含用于进行可用于还原组织数据的常规数据备份的过程。确保备份存储在系统之外，并且免受攻击者用来获取访问权限和操纵备份的常用方法的保护。
限制文件和目录权限(M1022)	确保将最小特权原则应用于重要的信息资源，以减少数据操纵风险。

Mitigation	Description
Encrypt Sensitive Information (M1041)	Consider encrypting important information to reduce an adversaries ability to perform tailored data modifications.
Remote Data Storage (M1029)	Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups.
Restrict File and Directory Permissions (M1022)	Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk.

检测

在适用的情况下，检查重要的文件散列，位置和修改是否为可疑/意外值。

Where applicable, inspect important file hashes, locations, and modifications for suspicious/unexpected values.