Detect Steganography in Google Chronicle
Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files. Adversaries commonly hide malicious payloads within PNG, BMP, JPG, and GIF files, often extracting PE executables or shellcode at runtime using LSB (Least Significant Bit) manipulation or custom XOR-based extraction. Threat actors including APT37, APT29, Andariel, Tropic Trooper, BRONZE BUTLER, and MuddyWater have used steganography to hide C2 configurations, shellcode, and full malware payloads within seemingly benign images.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.003 Steganography
- Canonical reference
- https://attack.mitre.org/techniques/T1027/003/
YARA-L Detection Query
rule T1027_003_steganography_detection {
meta:
author = "Detection Engineering"
description = "Detects steganography tool execution, LSB or keyword-based image extraction commands, and PE/DLL files written to user directories by browser processes. Maps to MITRE ATT\&CK T1027.003 - Steganography."
mitre_tactic = "Defense Evasion"
mitre_technique = "T1027.003"
severity = "HIGH"
confidence = "MEDIUM"
version = "1.0"
events:
(
$e.metadata.event_type = "PROCESS_LAUNCH"
and (
re.regex($e.target.process.command_line,
`(?i)(invoke-psimage|steghide|openstego|outguess|stegdetect)`)
or (
re.regex($e.target.process.command_line,
`(?i)\.(png|jpg|jpeg|bmp|gif|tiff)`)
and re.regex($e.target.process.command_line,
`(?i)(extract|decode|lsb|steg|hidden|payload)`)
)
)
)
or
(
$e.metadata.event_type = "FILE_CREATION"
and re.regex($e.target.file.full_path,
`(?i)\\(Temp|Downloads|Pictures)\\[^\\]+\.(exe|dll)$`)
and re.regex($e.principal.process.file.full_path,
`(?i)(chrome|msedge|iexplore|firefox|explorer)\.exe$`)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting steganography tool invocations and image-based payload extraction via PROCESS_LAUNCH UDM events, plus executable files written to user-accessible directories by browser processes via FILE_CREATION events. Uses UDM field model with regex matching on process command lines, file paths, and initiating process image paths.
Data Sources
Required Tables
False Positives & Tuning
- Authorized adversary simulation operators using invoke-psimage or steghide on Chronicle-monitored endpoints as part of a documented T1027.003 technique test
- Graphic design or media production environments where command-line image processing tools routinely reference decode, extract, or LSB operations against PNG, JPG, or BMP files
- Endpoint users downloading vendor-supplied software via browser to the Downloads folder where the resulting EXE matches the PE write pattern but is a legitimate, signed installer
Other platforms for T1027.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Hide and Extract Payload with Invoke-PSImage
Expected signal: Sysmon Event ID 3: Network connection to raw.githubusercontent.com. Sysmon Event ID 11: stego_test.png created in %TEMP%. PowerShell ScriptBlock Log Event ID 4104: Invoke-PSImage commands and the embedded script. The PNG will have slightly modified pixel values to carry the hidden payload.
- Test 2Embed Secret Message in Image using steghide
Expected signal: Sysmon Event ID 1: steghide.exe process creation with 'embed' then 'extract' arguments. Sysmon Event ID 11: stego_output.jpg and extracted_payload.txt created in %TEMP%. The steghide tool name will appear in process command lines.
- Test 3Simulate C2 Configuration Retrieval via Steganographic Image
Expected signal: Sysmon Event ID 1: powershell.exe with Invoke-WebRequest to external URL. Sysmon Event ID 3: Network connection to microsoft.com port 443. PowerShell ScriptBlock Log Event ID 4104: the extraction code using bitwise AND on image bytes.
- Test 4Detect High-Entropy Data in Image with binwalk
Expected signal: Process execution for dd and binwalk commands. Auditd execve records for both commands. The binwalk output will show signatures of embedded data within the image file.
References (5)
- https://attack.mitre.org/techniques/T1027/003/
- https://en.wikipedia.org/wiki/Duqu
- https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/
- https://github.com/peewpw/Invoke-PSImage
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.003/T1027.003.md
Unlock Pro Content
Get the full detection package for T1027.003 including response playbook, investigation guide, and atomic red team tests.