Transmitted Data Manipulation

Information

• Name: Transmitted Data Manipulation

• ID: T1565.002

• Tactics: TA0040

• Technique: T1565

Introduction

Transmitted Data Manipulation (T1565.002) is a sub-technique within the MITRE ATT&CK framework, categorized under the broader "Data Manipulation" technique (T1565). This tactic involves adversaries altering data transmitted across networks or communication channels to achieve malicious objectives. Attackers typically intercept, modify, or corrupt data in transit, thereby compromising data integrity and reliability, misleading users or automated processes, and facilitating further exploitation.

Deep Dive Into Technique

Transmitted Data Manipulation involves attackers intercepting and altering data packets traveling between endpoints. This sub-technique can be executed through various mechanisms, including:

• Man-in-the-Middle (MitM) Attacks: Attackers position themselves between communicating parties, intercepting and manipulating data packets before forwarding them to the intended recipient.

• Network Traffic Injection: Attackers inject malicious traffic or modify legitimate traffic to influence the behavior of receiving systems.

• Protocol-level Manipulation: Altering application-layer protocols (such as HTTP, DNS, SMTP) to deliver malicious payloads or redirect legitimate requests to attacker-controlled infrastructure.

• Routing Infrastructure Exploitation: Manipulating routing tables, BGP hijacking, or DNS spoofing to redirect legitimate traffic through attacker-controlled hosts for data manipulation.

Technical considerations and execution methods include:

• Packet Sniffing and Replay: Attackers capture network packets and replay or modify them to disrupt communications or authenticate illegitimate sessions.

• SSL/TLS Interception: Attackers employ SSL stripping or forged certificates to decrypt, alter, and re-encrypt traffic, bypassing encryption protections.

• Proxy-based Manipulation: Malicious proxies intercept requests and responses, modifying headers, payloads, or metadata to compromise data integrity.

Real-world procedures often involve sophisticated tools and techniques, including ARP spoofing, DNS cache poisoning, SSL stripping tools (e.g., sslstrip), and customized packet injection scripts.

When this Technique is Usually Used

Transmitted Data Manipulation is commonly employed in various attack scenarios and stages, including:

• Initial Access and Credential Harvesting: Attackers intercept authentication requests to capture or manipulate credentials, facilitating unauthorized access.

• Privilege Escalation and Lateral Movement: Manipulating transmitted data to exploit vulnerabilities in protocols or authentication mechanisms, escalating privileges or moving laterally within a network.

• Data Exfiltration and Espionage: Modifying transmitted data to evade detection, mask exfiltration activities, or deliver misleading information to defenders.

• Disruption and Denial of Service (DoS): Altering transmitted data to cause service disruption, degrade system performance, or create confusion and operational impact.

• Supply Chain Compromise: Manipulating transmitted data during software or firmware updates to deliver malicious payloads or backdoors to target systems.

How this Technique is Usually Detected

Detection of Transmitted Data Manipulation typically involves multiple approaches and tools, including:

• Network Intrusion Detection Systems (NIDS): Analyzing network traffic for anomalies, unexpected packet structures, or protocol deviations indicative of interception or manipulation.

• Encrypted Traffic Analysis: Monitoring SSL/TLS certificate validity, unexpected certificate authorities, or anomalies in encrypted traffic patterns.

• Endpoint Detection and Response (EDR) Tools: Monitoring endpoint behavior to detect unexpected communications, altered data payloads, or suspicious protocol usage.

• Integrity Verification Mechanisms: Employing cryptographic hashing, digital signatures, or message authentication codes (MACs) to verify transmitted data integrity.

• Logging and Monitoring: Collecting and analyzing logs from network devices, firewalls, proxies, and DNS servers for unusual requests, unexpected responses, or suspicious redirections.

Indicators of Compromise (IoCs) specific to this sub-technique include:

• Unexpected DNS resolutions or IP address changes.

• Untrusted SSL/TLS certificates or certificate warnings.

• Anomalous packet structures or protocol behavior.

• Suspicious ARP traffic or MAC address anomalies.

• Unusual proxy configurations or unexpected intermediate hosts.

Why it is Important to Detect This Technique

Early detection of Transmitted Data Manipulation is critical due to its potential impacts on systems and networks. Possible impacts include:

• Data Integrity Compromise: Manipulated data leads to incorrect decisions, operational disruptions, and loss of trust in data-driven processes.

• Credential Theft and Unauthorized Access: Intercepting and manipulating authentication data can result in unauthorized access, privilege escalation, and lateral movement.

• Espionage and Information Leakage: Attackers may manipulate data to exfiltrate sensitive information covertly or mislead defenders about the nature of exfiltrated data.

• Operational Disruption: Altered transmitted data can disrupt critical business operations, cause downtime, or degrade service reliability.

• Reputation Damage: Organizations experiencing data manipulation incidents may face significant reputational harm, loss of customer trust, and regulatory consequences.

Detecting this technique early allows organizations to mitigate these risks, respond rapidly to intrusion attempts, and maintain data integrity and operational continuity.

Examples

Real-world examples involving Transmitted Data Manipulation include:

• DNS Cache Poisoning Attack (Kaminsky Attack):

  • Scenario: Attackers exploit vulnerabilities in DNS resolution to inject malicious DNS responses.

  • Tools Used: Custom DNS spoofing scripts, DNS manipulation frameworks.

  • Impact: Redirecting legitimate traffic to attacker-controlled servers, enabling credential theft, malware delivery, or espionage.

• SSL Stripping Attack:

  • Scenario: Attackers intercept HTTPS requests, downgrade them to HTTP, and manipulate transmitted data to capture credentials.

  • Tools Used: sslstrip, mitmproxy, Ettercap.

  • Impact: Credential theft, unauthorized access, privacy compromise, and sensitive data leakage.

• BGP Hijacking Incident:

  • Scenario: Attackers manipulate Border Gateway Protocol (BGP) routing tables to redirect traffic through malicious infrastructure.

  • Tools Used: BGP route manipulation scripts, compromised router infrastructure.

  • Impact: Massive data interception, espionage, disruption of internet services, and significant operational and reputational damage.

• Email Protocol Manipulation (SMTP Manipulation):

  • Scenario: Attackers intercept and modify SMTP traffic to inject malicious attachments or alter email contents.

  • Tools Used: Custom SMTP interceptors, proxy manipulation tools.

  • Impact: Spear-phishing attacks, malware infection, data theft, and impersonation attacks.

• Industrial Control Systems (ICS) Traffic Manipulation:

  • Scenario: Attackers intercept and manipulate Modbus or other ICS protocols to disrupt critical infrastructure operations.

  • Tools Used: Customized ICS protocol manipulation frameworks, packet injection tools.

  • Impact: Operational disruption, physical damage to equipment, safety hazards, and significant financial losses.