T1027.003 Steganography Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SteganographyTools = dynamic(["invoke-psimage", "steghide", "openstego", "outguess", "stegdetect"]);
let ImageExtensions = dynamic([".png", ".jpg", ".jpeg", ".bmp", ".gif", ".tiff"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (SteganographyTools)
    or (ProcessCommandLine has_any (ImageExtensions)
        and ProcessCommandLine has_any ("extract", "decode", "lsb", "steg", "hidden", "payload"))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
| union (
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where ActionType == "FileCreated"
    | where FileName endswith ".exe" or FileName endswith ".dll"
    | where InitiatingProcessFileName in~ ("explorer.exe", "iexplore.exe", "chrome.exe", "msedge.exe", "firefox.exe")
    | where FolderPath has_any ("\\Temp\\", "\\Downloads\\", "\\Pictures\\")
    | extend SuspiciousExeDrop = true
    | project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName, FileName, FolderPath, SuspiciousExeDrop
)

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate digital forensics and watermarking tools that use steganography for authorized use cases
Security researchers running steganography analysis tools on their workstations
Browsers dropping legitimate executable installers to Downloads or Pictures folders
Digital rights management (DRM) tools that use watermarking techniques similar to steganography

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval cmdline=lower(CommandLine)
| eval IsStegoTool=if(match(cmdline, "(invoke-psimage|steghide|openstego|outguess|stegdetect)"), 1, 0)
| eval IsImageExec=if(match(cmdline, "(\.png|\.jpg|\.jpeg|\.bmp|\.gif).*\-exec|exec.*(\.png|\.jpg|\.bmp)"), 1, 0)
| eval IsImageExtract=if(match(cmdline, "(extract|lsb|decode).*(\.png|\.jpg|\.bmp)"), 1, 0)
| where IsStegoTool=1 OR IsImageExec=1 OR IsImageExtract=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsStegoTool, IsImageExec, IsImageExtract
| sort - _time
| append [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
      (TargetFilename="*\\Pictures\\*.exe" OR TargetFilename="*\\Downloads\\*.exe")
      (Image="*\\chrome.exe" OR Image="*\\msedge.exe" OR Image="*\\iexplore.exe" OR Image="*\\firefox.exe")
    | eval DropType="BrowserExeDrop"
    | table _time, host, User, TargetFilename, Image, DropType
]

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate forensic software (Autopsy, Encase) running steganography detection modules
Security awareness training platforms that simulate steganographic attack downloads
Software installers stored in Downloads or Pictures by legitimate download managers
Development environments testing image processing libraries that include steganography functions

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and event.type == "start" and
    (
      process.command_line : ("*invoke-psimage*", "*steghide*", "*openstego*", "*outguess*", "*stegdetect*")
      or
      (
        process.command_line : ("*.png*", "*.jpg*", "*.jpeg*", "*.bmp*", "*.gif*", "*.tiff*")
        and process.command_line : ("*extract*", "*decode*", "*lsb*", "*steg*", "*hidden*", "*payload*")
      )
    )
  )
  or
  (
    event.category == "file" and event.type == "creation"
    and file.name like~ ("*.exe", "*.dll")
    and process.name like~ ("chrome.exe", "msedge.exe", "iexplore.exe", "firefox.exe", "explorer.exe")
    and file.path : ("*\\Temp\\*", "*\\Downloads\\*", "*\\Pictures\\*")
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent with Windows integration Winlogbeat with Sysmon module

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-windows.sysmon_operational-*

False Positives

Security researchers, CTF participants, or penetration testers legitimately running steghide, stegdetect, or outguess on monitored endpoints during authorized engagements
Digital forensics investigators using image extraction tooling (e.g., Autopsy plugins, FTK components) that invoke LSB or decode operations against image files as part of authorized case analysis
Legitimate enterprise software installers downloaded by a browser to the Downloads or Temp directory that match the PE file drop pattern but are vendor-signed and expected

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  username,
  hostname,
  "CommandLine"         AS CommandLine,
  "Image"               AS ProcessImage,
  "ParentImage"         AS ParentProcess,
  "TargetFilename"      AS DroppedFile,
  QIDNAME(qid)          AS EventName,
  LOGSOURCENAME(logsourceid) AS LogSource
FROM events
WHERE
  (
    LOWER("CommandLine") ILIKE '%invoke-psimage%'
    OR LOWER("CommandLine") ILIKE '%steghide%'
    OR LOWER("CommandLine") ILIKE '%openstego%'
    OR LOWER("CommandLine") ILIKE '%outguess%'
    OR LOWER("CommandLine") ILIKE '%stegdetect%'
    OR (
      (
        LOWER("CommandLine") ILIKE '%.png%'
        OR LOWER("CommandLine") ILIKE '%.jpg%'
        OR LOWER("CommandLine") ILIKE '%.bmp%'
        OR LOWER("CommandLine") ILIKE '%.gif%'
        OR LOWER("CommandLine") ILIKE '%.jpeg%'
      )
      AND
      (
        LOWER("CommandLine") ILIKE '%extract%'
        OR LOWER("CommandLine") ILIKE '%lsb%'
        OR LOWER("CommandLine") ILIKE '%decode%'
        OR LOWER("CommandLine") ILIKE '%steg%'
        OR LOWER("CommandLine") ILIKE '%payload%'
        OR LOWER("CommandLine") ILIKE '%hidden%'
      )
    )
    OR (
      (
        LOWER("TargetFilename") ILIKE '%\\pictures\\%.exe'
        OR LOWER("TargetFilename") ILIKE '%\\downloads\\%.exe'
        OR LOWER("TargetFilename") ILIKE '%\\temp\\%.exe'
        OR LOWER("TargetFilename") ILIKE '%\\pictures\\%.dll'
        OR LOWER("TargetFilename") ILIKE '%\\downloads\\%.dll'
      )
      AND
      (
        LOWER("Image") ILIKE '%chrome.exe'
        OR LOWER("Image") ILIKE '%msedge.exe'
        OR LOWER("Image") ILIKE '%firefox.exe'
        OR LOWER("Image") ILIKE '%iexplore.exe'
        OR LOWER("Image") ILIKE '%explorer.exe'
      )
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar DSM for Microsoft Windows Security Event Log QRadar Sysmon DSM integration QRadar WinCollect agent

Required Tables

events

False Positives

Authorized red team operators running steganography tools on endpoints within scope of an engagement that is logged to QRadar
Image metadata extraction tools used by media production, photojournalism, or publishing workflows that reference decode, extract, or LSB operations against standard image formats
Enterprise patch management or software deployment systems that route installer EXEs through the browser download path into Temp or Downloads before executing

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="Windows/Sysmon" OR _sourceCategory="os/windows")
| where EventID = "1" OR EventID = "11"
| eval cmdline     = toLowerCase(CommandLine)
| eval targetfile  = toLowerCase(TargetFilename)
| eval procimg     = toLowerCase(Image)
| eval IsStegoTool = if (
    cmdline matches "(?i).*(invoke-psimage|steghide|openstego|outguess|stegdetect).*",
    1, 0)
| eval IsImageExtract = if (
    (cmdline matches "(?i).*\.(png|jpg|jpeg|bmp|gif|tiff).*")
    AND (cmdline matches "(?i).*(extract|lsb|decode|steg|hidden|payload).*"),
    1, 0)
| eval IsBrowserExeDrop = if (
    EventID = "11"
    AND (targetfile matches "(?i).*\\(pictures|downloads|temp)\\.*\.(exe|dll)$")
    AND (procimg matches "(?i).*(chrome|msedge|iexplore|firefox|explorer)\.exe.*"),
    1, 0)
| where IsStegoTool = 1 OR IsImageExtract = 1 OR IsBrowserExeDrop = 1
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, TargetFilename, IsStegoTool, IsImageExtract, IsBrowserExeDrop
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log source (Sysmon Operational channel) Sumo Logic Cloud Syslog for Windows endpoints

Required Tables

windows/sysmon source category os/windows source category

False Positives

Penetration testers or purple team operators running steghide, outguess, or invoke-psimage on Sumo-monitored endpoints during scoped exercises
Forensic and incident response toolkits (e.g., KAPE triage, Autopsy forensic suite) that perform LSB or decode operations against image files as part of artifact collection
Software deployment workflows where browsers download and stage installers in Downloads or Temp before a deployment management agent moves them; EXE appears in a user directory but is legitimately signed

Google Chronicle / SecOps

yaral

rule T1027_003_steganography_detection {
  meta:
    author          = "Detection Engineering"
    description     = "Detects steganography tool execution, LSB or keyword-based image extraction commands, and PE/DLL files written to user directories by browser processes. Maps to MITRE ATT\&CK T1027.003 - Steganography."
    mitre_tactic    = "Defense Evasion"
    mitre_technique = "T1027.003"
    severity        = "HIGH"
    confidence      = "MEDIUM"
    version         = "1.0"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e.target.process.command_line,
          `(?i)(invoke-psimage|steghide|openstego|outguess|stegdetect)`)
        or (
          re.regex($e.target.process.command_line,
            `(?i)\.(png|jpg|jpeg|bmp|gif|tiff)`)
          and re.regex($e.target.process.command_line,
            `(?i)(extract|decode|lsb|steg|hidden|payload)`)
        )
      )
    )
    or
    (
      $e.metadata.event_type = "FILE_CREATION"
      and re.regex($e.target.file.full_path,
        `(?i)\\(Temp|Downloads|Pictures)\\[^\\]+\.(exe|dll)$`)
      and re.regex($e.principal.process.file.full_path,
        `(?i)(chrome|msedge|iexplore|firefox|explorer)\.exe$`)
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle UDM ingestion pipeline Windows endpoint telemetry forwarded to Chronicle (Sysmon, MDE) Chronicle forwarder with Windows Event Log collection

Required Tables

UDM PROCESS_LAUNCH events UDM FILE_CREATION events

False Positives

Authorized adversary simulation operators using invoke-psimage or steghide on Chronicle-monitored endpoints as part of a documented T1027.003 technique test
Graphic design or media production environments where command-line image processing tools routinely reference decode, extract, or LSB operations against PNG, JPG, or BMP files
Endpoint users downloading vendor-supplied software via browser to the Downloads folder where the resulting EXE matches the PE write pattern but is a legitimate, signed installer

CrowdStrike LogScale (CQL)

cql

// Process execution: steganography tools or image extraction command patterns
#event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2)$/
| CommandLine = /(?i)(invoke-psimage|steghide|openstego|outguess|stegdetect)/
  OR (
    CommandLine = /(?i)\.(png|jpg|jpeg|bmp|gif|tiff)/
    AND CommandLine = /(?i)(extract|lsb|decode|steg|hidden|payload)/
  )
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine])

| union [
    // File creation: PE/DLL written to user directories by browser process
    #event_simpleName = PeFileWritten
    | TargetFileName = /(?i)\\(Temp|Downloads|Pictures)\\[^\\]+\.(exe|dll)$/
    | WriterFileName = /(?i)(chrome|msedge|iexplore|firefox|explorer)\.exe$/
    | table([@timestamp, ComputerName, UserName, TargetFileName, WriterFileName])
  ]
| sort(@timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2, PeFileWritten) CrowdStrike Falcon Data Replicator (FDR) CrowdStrike Humio / LogScale Event Search

Required Tables

ProcessRollup2 SyntheticProcessRollup2 PeFileWritten

False Positives

Authorized red team or purple team exercises where Falcon-monitored endpoints run steganography utilities (steghide, outguess, stegdetect) as part of T1027.003 simulation and the host is in a test OU
Security awareness or training lab environments where staff are shown live demonstrations of steganography payloads using invoke-psimage or similar tooling on dedicated lab machines
Legitimate software download workflows where a browser retrieves and stages a PE installer in Downloads or Temp prior to a patch management agent executing it; WriterFileName matches browser but EXE is vendor-signed

Steganography

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections