T1001.002

Steganography

Adversaries may use steganographic techniques to hide command and control traffic within digital media files (images, PDFs, etc.) to evade detection. Commands or data can be embedded in image files (JPG, PNG, GIF, BMP) or documents using techniques such as Least Significant Bit (LSB) encoding, appending data after EOF markers, or hiding data in file format metadata and structures (e.g., IDAT chunks in PNG). Real-world malware including HAMMERTOSS, LunarWeb, LunarMail, ZeroT, LightNeuron, RDAT, Duqu, and Sliver have leveraged steganographic C2 channels. Detection focuses on process behavior (tools that process or download image files with unusual patterns), network anomalies (HTTP traffic downloading image files at regular intervals with response size variance), and file system indicators (known steganography utilities being executed).

Microsoft Sentinel / Defender

kusto

let StegoTools = dynamic(["steghide", "outguess", "stegdetect", "openstego", "silenteye", "stegosuite", "snow.exe", "jphide", "jpseek", "camouflage"]);
let StegoExtensions = dynamic([".jpg", ".jpeg", ".png", ".gif", ".bmp", ".tiff", ".tif", ".webp"]);
// Detection 1: Known steganography tool execution
let StegoToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (StegoTools)
    or ProcessCommandLine has_any (StegoTools)
    or (FileName =~ "python.exe" and ProcessCommandLine has_any ("steg", "lsb", "steganography"))
    or (FileName =~ "python3" and ProcessCommandLine has_any ("steg", "lsb", "steganography"))
| extend DetectionType = "StegoToolExecution"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 2: Image files downloaded and then executed or read by suspicious processes
let SuspiciousImageRead = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName has_any (StegoExtensions)
| where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe",
          "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
          "bitsadmin.exe", "curl.exe", "wget.exe")
| where ActionType in ("FileCreated", "FileModified")
| extend DetectionType = "SuspiciousImageFileWrite"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
          FileName, FolderPath, InitiatingProcessFileName,
          InitiatingProcessCommandLine, DetectionType;
// Detection 3: certutil or other tools embedding data into image files
let DataEmbeddingTools = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "certutil.exe" and ProcessCommandLine has_any ("-encode", "-decode", "-f"))
    or (FileName =~ "copy.exe" and ProcessCommandLine matches regex @"/[bB].*\.(jpg|jpeg|png|gif|bmp)")
    or (ProcessCommandLine matches regex @"copy\s.*/[bB].*\.(jpg|jpeg|png|gif|bmp)")
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("LSB", "Invoke-PSImage", "Invoke-Steganography", "BitmapImage", "LockBits", "GetPixel", "SetPixel", "IDAT"))
| extend DetectionType = "DataEmbeddingTool"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
union StegoToolExecution, SuspiciousImageRead, DataEmbeddingTools
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation File: File Modification Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate graphic design or photography software that uses image processing libraries referencing pixel manipulation functions like GetPixel/SetPixel
Security researchers or penetration testers running steganography analysis tools in lab environments
Digital watermarking software used by media organizations to embed copyright information in images
Forensics tools (e.g., Autopsy plugins) that analyze image files for hidden content during incident response
Python machine learning or computer vision scripts using PIL/Pillow that process image pixel data

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval EventCode=coalesce(EventCode, event_id)
| where (EventCode=1 OR EventCode=4688 OR EventCode=11)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine, "")
| eval Image=coalesce(Image, NewProcessName, "")
| eval ParentImage=coalesce(ParentImage, ParentProcessName, "")
| eval FileName=lower(mvindex(split(Image, "\\"), -1))
| eval TargetFileName=lower(coalesce(TargetFilename, ""))
// Detection flag: Known steganography tools
| eval StegoTool=if(match(FileName, "(steghide|outguess|stegdetect|openstego|silenteye|stegosuite|snow\.exe|jphide|jpseek|camouflage)") OR match(lower(CommandLine), "(steghide|outguess|openstego|silenteye|stegosuite|invoke-psimage|invoke-steganography)"), 1, 0)
// Detection flag: PowerShell doing bitmap/pixel manipulation (LSB stego)
| eval LSBManipulation=if(match(FileName, "powershell\.exe|pwsh\.exe") AND match(lower(CommandLine), "(lsb|lockbits|getpixel|setpixel|bitmapimage|idat|steganograph)"), 1, 0)
// Detection flag: Image files created/written by suspicious processes
| eval SuspiciousImageWrite=if(EventCode=11 AND match(TargetFileName, "\.(jpg|jpeg|png|gif|bmp|tiff|webp)$") AND match(lower(Image), "(powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)"), 1, 0)
// Detection flag: certutil encoding operations
| eval CertutilEncoding=if(match(FileName, "certutil\.exe") AND match(lower(CommandLine), "(-encode|-decode)") AND match(lower(CommandLine), "\.(jpg|jpeg|png|gif|bmp)"), 1, 0)
// Detection flag: Binary copy to image (cmd copy /b trick)
| eval BinaryCopyToImage=if(match(lower(CommandLine), "copy.*/b.*\.(jpg|jpeg|png|gif|bmp)|copy.*\.(jpg|jpeg|png|gif|bmp).*/b"), 1, 0)
| eval SuspicionScore=StegoTool + LSBManipulation + SuspiciousImageWrite + CertutilEncoding + BinaryCopyToImage
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, TargetFileName, StegoTool, LSBManipulation, SuspiciousImageWrite, CertutilEncoding, BinaryCopyToImage, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation Command: Command Execution Sysmon Event ID 1 Sysmon Event ID 11 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Legitimate graphic design or photography software that uses image processing libraries referencing pixel manipulation functions like GetPixel/SetPixel
Security researchers or penetration testers running steganography analysis tools in lab environments
Digital watermarking software used by media organizations to embed copyright information in images
Forensics tools (e.g., Autopsy plugins) that analyze image files for hidden content during incident response
Python machine learning or computer vision scripts using PIL/Pillow that process image pixel data

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  process where event.type == "start" and
  (
    process.name in ("steghide", "outguess", "stegdetect", "openstego", "silenteye", "stegosuite", "snow.exe", "jphide", "jpseek", "camouflage")
    or (process.name in ("python.exe", "python3", "python") and process.args : ("*steg*", "*lsb*", "*steganograph*"))
    or (process.name in ("powershell.exe", "pwsh.exe") and process.args : ("*LSB*", "*Invoke-PSImage*", "*Invoke-Steganography*", "*LockBits*", "*GetPixel*", "*SetPixel*", "*BitmapImage*", "*IDAT*"))
    or (process.name == "certutil.exe" and process.args : ("-encode", "-decode") and process.args : ("*.jpg*", "*.jpeg*", "*.png*", "*.gif*", "*.bmp*"))
  )
]
any where true

// Standalone: Suspicious image file writes by LOLBins
file where event.type in ("creation", "change") and
  file.extension in ("jpg", "jpeg", "png", "gif", "bmp", "tiff", "webp") and
  process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
                    "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
                    "bitsadmin.exe", "curl.exe", "wget.exe")

// Standalone: Binary copy trick to embed data in image
process where event.type == "start" and
  process.name == "cmd.exe" and
  process.command_line regex~ "copy\s.*/[bB].*\.(jpg|jpeg|png|gif|bmp)|copy.*\.(jpg|jpeg|png|gif|bmp).*/[bB]"

high severity medium confidence

Data Sources

Elastic Endpoint Elastic Agent Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Legitimate graphic designers or forensic investigators using steganography tools for authorized purposes
Security researchers running steganography detection tooling in lab environments
Python scripts using pillow/PIL for legitimate image processing that happen to use pixel-level operations
Automated image processing pipelines using certutil for base64 encoding of image assets
CTF competition participants using steganography tools

IBM QRadar (AQL)

sql

-- Detection 1: Known steganography tool execution (Sysmon Event ID 1 / WinEvent 4688)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  "username" AS UserName,
  "hostname" AS HostName,
  "ProcessPath" AS ImagePath,
  "CommandLine" AS CommandLine,
  "ParentProcessPath" AS ParentImage,
  QIDNAME(qid) AS EventName,
  'StegoToolExecution' AS DetectionType
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 232)
  AND (qid = 5000001 OR qid = 4688
       OR (CATEGORYNAME(category) LIKE '%Process%' AND eventid = 1)
       OR (CATEGORYNAME(category) LIKE '%Process%' AND eventid = 4688))
  AND (
    LOWER("ProcessPath") MATCHES '(steghide|outguess|stegdetect|openstego|silenteye|stegosuite|snow\.exe|jphide|jpseek|camouflage)'
    OR LOWER("CommandLine") MATCHES '(steghide|outguess|openstego|invoke-psimage|invoke-steganography|lockbits|getpixel|setpixel|bitmapimage|idat)'
    OR (
      LOWER("ProcessPath") MATCHES '(powershell\.exe|pwsh\.exe)'
      AND LOWER("CommandLine") MATCHES '(lsb|steganograph)'
    )
    OR (
      LOWER("ProcessPath") MATCHES 'certutil\.exe'
      AND LOWER("CommandLine") MATCHES '(-encode|-decode)'
      AND LOWER("CommandLine") MATCHES '\.(jpg|jpeg|png|gif|bmp)'
    )
  )
  AND LOGSOURCETIME(starttime) > NOW() - 1 DAYS

UNION ALL

-- Detection 2: Suspicious image file writes by LOLBins (Sysmon Event ID 11)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  "username" AS UserName,
  "hostname" AS HostName,
  "ProcessPath" AS ImagePath,
  "CommandLine" AS CommandLine,
  "TargetFilename" AS ParentImage,
  QIDNAME(qid) AS EventName,
  'SuspiciousImageWrite' AS DetectionType
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 232)
  AND eventid = 11
  AND LOWER("TargetFilename") MATCHES '\.(jpg|jpeg|png|gif|bmp|tiff|webp)$'
  AND LOWER("ProcessPath") MATCHES '(powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)'
  AND LOGSOURCETIME(starttime) > NOW() - 1 DAYS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

QRadar Windows Sysmon DSM QRadar Microsoft Windows Security Event Log DSM

Required Tables

events

False Positives

Legitimate forensic investigations or red team exercises using steganography tools
Security awareness training involving steganography demonstrations
Automated image conversion pipelines using certutil or PowerShell for image encoding tasks
Development environments testing image processing libraries with pixel manipulation
Pen testers running authorized tools during an engagement

Sumo Logic CSE

sql

// Detection 1: Known steganography tool execution
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| where EventID in ("1", "4688")
| parse field=CommandLine "*" as cmd_lower
| eval cmd_lower = toLowerCase(CommandLine)
| eval image_lower = toLowerCase(Image)
| eval stego_tool = if(
    image_lower matches "(steghide|outguess|stegdetect|openstego|silenteye|stegosuite|snow\.exe|jphide|jpseek|camouflage)"
    or cmd_lower matches "(steghide|outguess|openstego|invoke-psimage|invoke-steganography)",
    1, 0)
| eval lsb_manipulation = if(
    image_lower matches "(powershell\.exe|pwsh\.exe)"
    and cmd_lower matches "(lsb|lockbits|getpixel|setpixel|bitmapimage|idat|steganograph)",
    1, 0)
| eval certutil_encoding = if(
    image_lower matches "certutil\.exe"
    and cmd_lower matches "(-encode|-decode)"
    and cmd_lower matches "\.(jpg|jpeg|png|gif|bmp)",
    1, 0)
| eval binary_copy = if(
    cmd_lower matches "copy.*/b.*\.(jpg|jpeg|png|gif|bmp)|copy.*\.(jpg|jpeg|png|gif|bmp).*/b",
    1, 0)
| eval suspicion_score = stego_tool + lsb_manipulation + certutil_encoding + binary_copy
| where suspicion_score > 0
| fields _time, host, User, Image, CommandLine, ParentImage, stego_tool, lsb_manipulation, certutil_encoding, binary_copy, suspicion_score
| sort by suspicion_score desc, _time desc

// Detection 2: Suspicious image file writes (Sysmon Event 11)
// Run separately:
// (_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
// | where EventID = "11"
// | where toLowerCase(TargetFilename) matches "\.(jpg|jpeg|png|gif|bmp|tiff|webp)$"
// | where toLowerCase(Image) matches "(powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)"
// | fields _time, host, User, Image, TargetFilename
// | sort by _time desc

high severity medium confidence

Data Sources

Sumo Logic Windows Source (Sysmon) Sumo Logic Windows Source (Security Event Log)

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Digital forensics teams using steganography analysis tools in authorized investigations
Security researchers analyzing malware samples containing steganographic content
Legitimate image batch processing scripts using PowerShell and pixel-level operations
CTF participants using steganography tools on competition infrastructure
Pentesters authorized to use steganographic C2 channels during red team exercises

Google Chronicle / SecOps

yaral

rule t1001_002_steganography_tool_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects steganography tool execution and data embedding techniques per MITRE ATT&CK T1001.002"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1001.002"
    severity = "HIGH"
    priority = "HIGH"
    version = "1.0"

  events:
    // Event variable for process execution
    $e.metadata.event_type = "PROCESS_LAUNCH"

    // Match known steganography tools by process name or command line
    (
      re.regex($e.principal.process.file.full_path, `(?i)(steghide|outguess|stegdetect|openstego|silenteye|stegosuite|snow\.exe|jphide|jpseek|camouflage)`)
      or re.regex($e.principal.process.command_line, `(?i)(steghide|outguess|openstego|invoke-psimage|invoke-steganography|lockbits|getpixel|setpixel|bitmapimage|idat)`)
      or (
        re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe|python\.exe|python3)`)
        and re.regex($e.principal.process.command_line, `(?i)(lsb|steganograph|lockbits|getpixel|setpixel|bitmapimage|idat)`)
      )
      or (
        re.regex($e.principal.process.file.full_path, `(?i)certutil\.exe`)
        and re.regex($e.principal.process.command_line, `(?i)(-encode|-decode)`)
        and re.regex($e.principal.process.command_line, `(?i)\.(jpg|jpeg|png|gif|bmp)`)
      )
      or re.regex($e.principal.process.command_line, `(?i)copy\s.*/[bB].*\.(jpg|jpeg|png|gif|bmp)|copy.*\.(jpg|jpeg|png|gif|bmp).*/[bB]`)
    )

  condition:
    $e
}

rule t1001_002_suspicious_image_file_write {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious image file writes by LOLBins that may indicate steganographic data embedding (T1001.002)"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1001.002"
    severity = "MEDIUM"
    priority = "MEDIUM"
    version = "1.0"

  events:
    $e.metadata.event_type = "FILE_CREATION"

    // Image file extension
    re.regex($e.target.file.full_path, `(?i)\.(jpg|jpeg|png|gif|bmp|tiff|webp)$`)

    // Written by known LOLBins
    re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle UDM (Windows Endpoint) Chronicle Forwarder with Sysmon Chronicle Forwarder with CrowdStrike Falcon

Required Tables

PROCESS_LAUNCH FILE_CREATION

False Positives

Legitimate forensic analysts using steganography tools for authorized digital investigations
Red team operators using authorized steganographic C2 channels during an engagement
Developers building image processing tools that use pixel-manipulation APIs
Automated build pipelines writing image assets via scripting tools like PowerShell
Security researchers analyzing steganographic malware in sandboxed environments

CrowdStrike LogScale (CQL)

cql

// Detection 1: Known steganography tool execution via Falcon process telemetry
#event_simpleName=ProcessRollup2
| FileName =~ regex("(?i)(steghide|outguess|stegdetect|openstego|silenteye|stegosuite|snow\\.exe|jphide|jpseek|camouflage)")
    OR CommandLine =~ regex("(?i)(steghide|outguess|openstego|invoke-psimage|invoke-steganography|lockbits|getpixel|setpixel|bitmapimage|idat)")
    OR (FileName =~ regex("(?i)(powershell\.exe|pwsh\.exe|python\.exe|python3\.exe)") AND CommandLine =~ regex("(?i)(lsb|steganograph|lockbits|getpixel|setpixel|bitmapimage|idat)"))
    OR (FileName =~ regex("(?i)certutil\.exe") AND CommandLine =~ regex("(?i)(-encode|-decode)") AND CommandLine =~ regex("(?i)\\.(jpg|jpeg|png|gif|bmp)"))
    OR CommandLine =~ regex("(?i)copy\\s.*/[bB].*\\.(jpg|jpeg|png|gif|bmp)")
| eval DetectionType = case(
    FileName =~ regex("(?i)(steghide|outguess|stegdetect|openstego|silenteye|stegosuite|snow\\.exe|jphide|jpseek|camouflage)"), "KnownStegoTool",
    FileName =~ regex("(?i)(powershell\.exe|pwsh\.exe)") AND CommandLine =~ regex("(?i)(lsb|lockbits|getpixel|setpixel|bitmapimage|idat|steganograph)"), "LSBManipulation",
    FileName =~ regex("(?i)certutil\.exe") AND CommandLine =~ regex("(?i)(-encode|-decode)"), "CertutilEncoding",
    CommandLine =~ regex("(?i)copy.*/[bB].*\\.(jpg|jpeg|png|gif|bmp)"), "BinaryCopyToImage",
    "CommandLineMatch"
  )
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DetectionType])
| sort(field=@timestamp, order=desc)

// Detection 2: Image file writes by suspicious processes (Sysmon-equivalent via Falcon)
// Run separately in LogScale:
// #event_simpleName=PeFileWritten OR #event_simpleName=SyntheticProcessRollup2
// | TargetFileName =~ regex("(?i)\\.(jpg|jpeg|png|gif|bmp|tiff|webp)$")
// | ImageFileName =~ regex("(?i)(powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)")
// | table([@timestamp, ComputerName, UserName, ImageFileName, TargetFileName, CommandLine])
// | sort(field=@timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2) CrowdStrike Falcon Sensor (PeFileWritten)

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=PeFileWritten

False Positives

Authorized red team operators using steganographic C2 during an engagement
Security researchers analyzing steganographic malware samples on dedicated analysis hosts
Legitimate graphic processing automation using PowerShell and System.Drawing APIs
Forensic investigators using stegdetect or similar tools to analyze images in evidence
CTF competition participants running steganography challenges on shared infrastructure

Last updated: 2026-04-13 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1001.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Steganography

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections