T1001.002 Google Chronicle · YARA-L

Detect Steganography in Google Chronicle

Adversaries may use steganographic techniques to hide command and control traffic within digital media files (images, PDFs, etc.) to evade detection. Commands or data can be embedded in image files (JPG, PNG, GIF, BMP) or documents using techniques such as Least Significant Bit (LSB) encoding, appending data after EOF markers, or hiding data in file format metadata and structures (e.g., IDAT chunks in PNG). Real-world malware including HAMMERTOSS, LunarWeb, LunarMail, ZeroT, LightNeuron, RDAT, Duqu, and Sliver have leveraged steganographic C2 channels. Detection focuses on process behavior (tools that process or download image files with unusual patterns), network anomalies (HTTP traffic downloading image files at regular intervals with response size variance), and file system indicators (known steganography utilities being executed).

MITRE ATT&CK

Tactic
Command and Control
Technique
T1001 Data Obfuscation
Sub-technique
T1001.002 Steganography
Canonical reference
https://attack.mitre.org/techniques/T1001/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1001_002_steganography_tool_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects steganography tool execution and data embedding techniques per MITRE ATT&CK T1001.002"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1001.002"
    severity = "HIGH"
    priority = "HIGH"
    version = "1.0"

  events:
    // Event variable for process execution
    $e.metadata.event_type = "PROCESS_LAUNCH"

    // Match known steganography tools by process name or command line
    (
      re.regex($e.principal.process.file.full_path, `(?i)(steghide|outguess|stegdetect|openstego|silenteye|stegosuite|snow\.exe|jphide|jpseek|camouflage)`)
      or re.regex($e.principal.process.command_line, `(?i)(steghide|outguess|openstego|invoke-psimage|invoke-steganography|lockbits|getpixel|setpixel|bitmapimage|idat)`)
      or (
        re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe|python\.exe|python3)`)
        and re.regex($e.principal.process.command_line, `(?i)(lsb|steganograph|lockbits|getpixel|setpixel|bitmapimage|idat)`)
      )
      or (
        re.regex($e.principal.process.file.full_path, `(?i)certutil\.exe`)
        and re.regex($e.principal.process.command_line, `(?i)(-encode|-decode)`)
        and re.regex($e.principal.process.command_line, `(?i)\.(jpg|jpeg|png|gif|bmp)`)
      )
      or re.regex($e.principal.process.command_line, `(?i)copy\s.*/[bB].*\.(jpg|jpeg|png|gif|bmp)|copy.*\.(jpg|jpeg|png|gif|bmp).*/[bB]`)
    )

  condition:
    $e
}

rule t1001_002_suspicious_image_file_write {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious image file writes by LOLBins that may indicate steganographic data embedding (T1001.002)"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1001.002"
    severity = "MEDIUM"
    priority = "MEDIUM"
    version = "1.0"

  events:
    $e.metadata.event_type = "FILE_CREATION"

    // Image file extension
    re.regex($e.target.file.full_path, `(?i)\.(jpg|jpeg|png|gif|bmp|tiff|webp)$`)

    // Written by known LOLBins
    re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)`)

  condition:
    $e
}
high severity medium confidence

Two Chronicle YARA-L 2.0 rules: the first detects known steganography tool execution and command-line indicators including PowerShell LSB manipulation and certutil encoding; the second detects image file creation by known LOLBins. Both map to MITRE ATT&CK T1001.002.

Data Sources

Google Chronicle UDM (Windows Endpoint)Chronicle Forwarder with SysmonChronicle Forwarder with CrowdStrike Falcon

Required Tables

PROCESS_LAUNCHFILE_CREATION

False Positives & Tuning

  • Legitimate forensic analysts using steganography tools for authorized digital investigations
  • Red team operators using authorized steganographic C2 channels during an engagement
  • Developers building image processing tools that use pixel-manipulation APIs
  • Automated build pipelines writing image assets via scripting tools like PowerShell
  • Security researchers analyzing steganographic malware in sandboxed environments
Download portable Sigma rule (.yml)

Other platforms for T1001.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Steghide - Embed and Extract Data in JPEG

    Expected signal: Sysmon Event ID 1 (Linux equivalent via auditd execve syscall): Process creation for 'steghide' with arguments 'embed' and 'extract'. File creation events for /tmp/carrier_test.jpg modification and /tmp/extracted_payload.txt creation. Auditd SYSCALL records for open/write on image file.

  2. Test 2PowerShell LSB Steganography - Encode Command in PNG

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'GetPixel', 'SetPixel', 'Bitmap', 'LSB'. Sysmon Event ID 11: File Create for C:\Temp\stego_test.png by powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with full script content including bitmap manipulation code.

  3. Test 3Python Steganography - Embed Data Using PIL

    Expected signal: Auditd EXECVE syscall for python3 with script content referencing PIL, Image.open, getdata, putdata. File creation events for /tmp/carrier_image.png and /tmp/stego_output.png. If Sysmon for Linux is deployed: Event ID 1 for python3 process, Event ID 11 for .png file creation.

  4. Test 4Windows CMD Binary Copy - Append Data to JPEG (Polyglot File)

    Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with -urlcache arguments, and cmd.exe with 'copy /b' and .jpg in command line. Sysmon Event ID 3: Network connection from certutil.exe to httpbin.org. Sysmon Event ID 11: File creation for output_stego.jpg. Windows Security Event ID 4688 if process auditing enabled.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1001.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1001Data Obfuscation

Related Sub-techniques

T1001.001Junk DataT1001.003Protocol or Service Impersonation

Related Techniques

T1001Data ObfuscationT1001.001Junk DataT1001.003Protocol or Service ImpersonationT1071.001Web ProtocolsT1071.003Mail ProtocolsT1132.001Standard EncodingT1027Obfuscated Files or InformationT1105Ingress Tool TransferT1566.001Spearphishing AttachmentT1573.001Symmetric CryptographyT1102Web Service

Same Tactic: Command and Control

Popular Detections