Detect Steganography in Microsoft Sentinel
Adversaries may use steganographic techniques to hide command and control traffic within digital media files (images, PDFs, etc.) to evade detection. Commands or data can be embedded in image files (JPG, PNG, GIF, BMP) or documents using techniques such as Least Significant Bit (LSB) encoding, appending data after EOF markers, or hiding data in file format metadata and structures (e.g., IDAT chunks in PNG). Real-world malware including HAMMERTOSS, LunarWeb, LunarMail, ZeroT, LightNeuron, RDAT, Duqu, and Sliver have leveraged steganographic C2 channels. Detection focuses on process behavior (tools that process or download image files with unusual patterns), network anomalies (HTTP traffic downloading image files at regular intervals with response size variance), and file system indicators (known steganography utilities being executed).
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1001 Data Obfuscation
- Sub-technique
- T1001.002 Steganography
- Canonical reference
- https://attack.mitre.org/techniques/T1001/002/
KQL Detection Query
let StegoTools = dynamic(["steghide", "outguess", "stegdetect", "openstego", "silenteye", "stegosuite", "snow.exe", "jphide", "jpseek", "camouflage"]);
let StegoExtensions = dynamic([".jpg", ".jpeg", ".png", ".gif", ".bmp", ".tiff", ".tif", ".webp"]);
// Detection 1: Known steganography tool execution
let StegoToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (StegoTools)
or ProcessCommandLine has_any (StegoTools)
or (FileName =~ "python.exe" and ProcessCommandLine has_any ("steg", "lsb", "steganography"))
or (FileName =~ "python3" and ProcessCommandLine has_any ("steg", "lsb", "steganography"))
| extend DetectionType = "StegoToolExecution"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 2: Image files downloaded and then executed or read by suspicious processes
let SuspiciousImageRead = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName has_any (StegoExtensions)
| where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe",
"cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
"bitsadmin.exe", "curl.exe", "wget.exe")
| where ActionType in ("FileCreated", "FileModified")
| extend DetectionType = "SuspiciousImageFileWrite"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
FileName, FolderPath, InitiatingProcessFileName,
InitiatingProcessCommandLine, DetectionType;
// Detection 3: certutil or other tools embedding data into image files
let DataEmbeddingTools = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "certutil.exe" and ProcessCommandLine has_any ("-encode", "-decode", "-f"))
or (FileName =~ "copy.exe" and ProcessCommandLine matches regex @"/[bB].*\.(jpg|jpeg|png|gif|bmp)")
or (ProcessCommandLine matches regex @"copy\s.*/[bB].*\.(jpg|jpeg|png|gif|bmp)")
or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("LSB", "Invoke-PSImage", "Invoke-Steganography", "BitmapImage", "LockBits", "GetPixel", "SetPixel", "IDAT"))
| extend DetectionType = "DataEmbeddingTool"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
union StegoToolExecution, SuspiciousImageRead, DataEmbeddingTools
| sort by Timestamp descDetects steganography-based C2 activity using three complementary sub-detections: (1) execution of known steganography utilities (steghide, outguess, openstego, silenteye, etc.) or Python scripts referencing steganography libraries; (2) image files being written to disk by suspicious LOLBin processes (PowerShell, certutil, MSHTA, etc.) that could be downloading stego-encoded payloads; (3) processes using data-embedding techniques such as certutil encoding, binary-mode file copy to image files, or PowerShell accessing bitmap pixel data (LSB manipulation). Results are unioned for comprehensive coverage.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate graphic design or photography software that uses image processing libraries referencing pixel manipulation functions like GetPixel/SetPixel
- Security researchers or penetration testers running steganography analysis tools in lab environments
- Digital watermarking software used by media organizations to embed copyright information in images
- Forensics tools (e.g., Autopsy plugins) that analyze image files for hidden content during incident response
- Python machine learning or computer vision scripts using PIL/Pillow that process image pixel data
Other platforms for T1001.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Steghide - Embed and Extract Data in JPEG
Expected signal: Sysmon Event ID 1 (Linux equivalent via auditd execve syscall): Process creation for 'steghide' with arguments 'embed' and 'extract'. File creation events for /tmp/carrier_test.jpg modification and /tmp/extracted_payload.txt creation. Auditd SYSCALL records for open/write on image file.
- Test 2PowerShell LSB Steganography - Encode Command in PNG
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'GetPixel', 'SetPixel', 'Bitmap', 'LSB'. Sysmon Event ID 11: File Create for C:\Temp\stego_test.png by powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with full script content including bitmap manipulation code.
- Test 3Python Steganography - Embed Data Using PIL
Expected signal: Auditd EXECVE syscall for python3 with script content referencing PIL, Image.open, getdata, putdata. File creation events for /tmp/carrier_image.png and /tmp/stego_output.png. If Sysmon for Linux is deployed: Event ID 1 for python3 process, Event ID 11 for .png file creation.
- Test 4Windows CMD Binary Copy - Append Data to JPEG (Polyglot File)
Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with -urlcache arguments, and cmd.exe with 'copy /b' and .jpg in command line. Sysmon Event ID 3: Network connection from certutil.exe to httpbin.org. Sysmon Event ID 11: File creation for output_stego.jpg. Windows Security Event ID 4688 if process auditing enabled.
References (13)
- https://attack.mitre.org/techniques/T1001/002/
- https://www.welivesecurity.com/en/eset-research/lunar-toolset-eset-turla-2024/
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt29-hammertoss.pdf
- https://github.com/BishopFox/sliver
- https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-turla/
- https://www.proofpoint.com/us/threat-insight/post/new-trojan-zerot-delivered-alongside-plugx-targeted-attacks
- https://www.trendmicro.com/en_us/research/17/k/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography.html
- https://unit42.paloaltonetworks.com/rdat-tool-uses-steganography-and-dns-over-https/
- https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://github.com/ragibson/Steganography
- https://github.com/nicowillis/steg-tools
Unlock Pro Content
Get the full detection package for T1001.002 including response playbook, investigation guide, and atomic red team tests.