ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices


术语表: /attack/glossary




Stored Data Manipulation

Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.


ID编号: T1492

策略: 影响

平台: Linux,macOS,Windows

所需权限: user,administrator,root,SYSTEM

数据源: 应用程序日志,文件监视

影响类型: 完整性


名称 描述
APT38 (G0082) APT38已使用DYEPACK在用于SWIFT事务的数据库中创建,删除和更改记录。
FIN4 (G0085) FIN4已在受害者的Microsoft Outlook帐户中创建了规则,以自动删除包含诸如“被黑客入侵”,“网络钓鱼”和“恶意软件”之类的单词的电子邮件,这很可能是为了阻止组织就其活动进行交流。
Name Description
APT38 (G0082) APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.
FIN4 (G0085) FIN4 has created rules in victims' Microsoft Outlook accounts to automatically delete emails containing words such as “hacked," "phish," and “malware" in a likely attempt to prevent organizations from communicating about their activities.


缓解 描述
加密敏感信息(M1041) 考虑对重要信息进行加密,以降低对手执行定制数据修改的能力。
远程数据存储(M1029) 考虑实施IT灾难恢复计划,其中包含用于进行可用于还原组织数据的常规数据备份的过程。确保备份存储在系统之外,并且免受攻击者用来获取访问权限和操纵备份的常用方法的保护。
限制文件和目录权限(M1022) 确保将最小特权原则应用于重要的信息资源,以减少数据操纵风险。
Mitigation Description
Encrypt Sensitive Information (M1041) Consider encrypting important information to reduce an adversaries ability to perform tailored data modifications.
Remote Data Storage (M1029) Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups.
Restrict File and Directory Permissions (M1022) Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk.



Where applicable, inspect important file hashes, locations, and modifications for suspicious/unexpected values.