Which SIEM platforms have a T1001.002 detection rule?

df00tech provides T1001.002 (Steganography) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Steganography (T1001.002)?

Detecting Steganography requires the following data sources: Process: Process Creation, File: File Creation, File: File Modification, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1001.002 detection?

The T1001.002 detection is rated high severity with medium confidence.

What are common false positives for T1001.002?

Common false positives for T1001.002 include: Legitimate graphic design or photography software that uses image processing libraries referencing pixel manipulation functions like GetPixel/SetPixel; Security researchers or penetration testers running steganography analysis tools in lab environments; Digital watermarking software used by media organizations to embed copyright information in images.

T1001.002 Elastic Security · Elastic

Detect Steganography in Elastic Security

Adversaries may use steganographic techniques to hide command and control traffic within digital media files (images, PDFs, etc.) to evade detection. Commands or data can be embedded in image files (JPG, PNG, GIF, BMP) or documents using techniques such as Least Significant Bit (LSB) encoding, appending data after EOF markers, or hiding data in file format metadata and structures (e.g., IDAT chunks in PNG). Real-world malware including HAMMERTOSS, LunarWeb, LunarMail, ZeroT, LightNeuron, RDAT, Duqu, and Sliver have leveraged steganographic C2 channels. Detection focuses on process behavior (tools that process or download image files with unusual patterns), network anomalies (HTTP traffic downloading image files at regular intervals with response size variance), and file system indicators (known steganography utilities being executed).

MITRE ATT&CK

Tactic: Command and Control
Technique: T1001 Data Obfuscation
Sub-technique: T1001.002 Steganography
Canonical reference: https://attack.mitre.org/techniques/T1001/002/

Elastic Detection Query

Elastic Security (Elastic)

eql

sequence by host.name with maxspan=5m
[
  process where event.type == "start" and
  (
    process.name in ("steghide", "outguess", "stegdetect", "openstego", "silenteye", "stegosuite", "snow.exe", "jphide", "jpseek", "camouflage")
    or (process.name in ("python.exe", "python3", "python") and process.args : ("*steg*", "*lsb*", "*steganograph*"))
    or (process.name in ("powershell.exe", "pwsh.exe") and process.args : ("*LSB*", "*Invoke-PSImage*", "*Invoke-Steganography*", "*LockBits*", "*GetPixel*", "*SetPixel*", "*BitmapImage*", "*IDAT*"))
    or (process.name == "certutil.exe" and process.args : ("-encode", "-decode") and process.args : ("*.jpg*", "*.jpeg*", "*.png*", "*.gif*", "*.bmp*"))
  )
]
any where true

// Standalone: Suspicious image file writes by LOLBins
file where event.type in ("creation", "change") and
  file.extension in ("jpg", "jpeg", "png", "gif", "bmp", "tiff", "webp") and
  process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
                    "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
                    "bitsadmin.exe", "curl.exe", "wget.exe")

// Standalone: Binary copy trick to embed data in image
process where event.type == "start" and
  process.name == "cmd.exe" and
  process.command_line regex~ "copy\s.*/[bB].*\.(jpg|jpeg|png|gif|bmp)|copy.*\.(jpg|jpeg|png|gif|bmp).*/[bB]"

high severity medium confidence

Detects steganography techniques including known tool execution, PowerShell LSB pixel manipulation, suspicious image file writes by LOLBins, certutil encoding operations on image files, and binary copy tricks used to embed data in image files. Maps to MITRE ATT&CK T1001.002.

Data Sources

Elastic EndpointElastic AgentWinlogbeat with Sysmon

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*winlogbeat-*

False Positives & Tuning

Legitimate graphic designers or forensic investigators using steganography tools for authorized purposes
Security researchers running steganography detection tooling in lab environments
Python scripts using pillow/PIL for legitimate image processing that happen to use pixel-level operations
Automated image processing pipelines using certutil for base64 encoding of image assets
CTF competition participants using steganography tools

Download portable Sigma rule (.yml)

Other platforms for T1001.002

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Steghide - Embed and Extract Data in JPEG
Expected signal: Sysmon Event ID 1 (Linux equivalent via auditd execve syscall): Process creation for 'steghide' with arguments 'embed' and 'extract'. File creation events for /tmp/carrier_test.jpg modification and /tmp/extracted_payload.txt creation. Auditd SYSCALL records for open/write on image file.
Test 2PowerShell LSB Steganography - Encode Command in PNG
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'GetPixel', 'SetPixel', 'Bitmap', 'LSB'. Sysmon Event ID 11: File Create for C:\Temp\stego_test.png by powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with full script content including bitmap manipulation code.
Test 3Python Steganography - Embed Data Using PIL
Expected signal: Auditd EXECVE syscall for python3 with script content referencing PIL, Image.open, getdata, putdata. File creation events for /tmp/carrier_image.png and /tmp/stego_output.png. If Sysmon for Linux is deployed: Event ID 1 for python3 process, Event ID 11 for .png file creation.
Test 4Windows CMD Binary Copy - Append Data to JPEG (Polyglot File)
Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with -urlcache arguments, and cmd.exe with 'copy /b' and .jpg in command line. Sysmon Event ID 3: Network connection from certutil.exe to httpbin.org. Sysmon Event ID 11: File creation for output_stego.jpg. Windows Security Event ID 4688 if process auditing enabled.

Last updated: 2026-04-13 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1001.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Steganography in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1001.002

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Command and Control

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1001.002

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Command and Control

Popular Detections

Get new detections in your inbox