Which SIEM platforms have a T1027.003 detection rule?

df00tech provides T1027.003 (Steganography) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Steganography (T1027.003)?

Detecting Steganography requires the following data sources: Process: Process Creation, File: File Creation, Microsoft Defender for Endpoint.

What severity and confidence is the T1027.003 detection?

The T1027.003 detection is rated high severity with medium confidence.

What are common false positives for T1027.003?

Common false positives for T1027.003 include: Legitimate digital forensics and watermarking tools that use steganography for authorized use cases; Security researchers running steganography analysis tools on their workstations; Browsers dropping legitimate executable installers to Downloads or Pictures folders.

T1027.003 IBM QRadar · QRadar

Detect Steganography in IBM QRadar

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files. Adversaries commonly hide malicious payloads within PNG, BMP, JPG, and GIF files, often extracting PE executables or shellcode at runtime using LSB (Least Significant Bit) manipulation or custom XOR-based extraction. Threat actors including APT37, APT29, Andariel, Tropic Trooper, BRONZE BUTLER, and MuddyWater have used steganography to hide C2 configurations, shellcode, and full malware payloads within seemingly benign images.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1027 Obfuscated Files or Information
Sub-technique: T1027.003 Steganography
Canonical reference: https://attack.mitre.org/techniques/T1027/003/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  username,
  hostname,
  "CommandLine"         AS CommandLine,
  "Image"               AS ProcessImage,
  "ParentImage"         AS ParentProcess,
  "TargetFilename"      AS DroppedFile,
  QIDNAME(qid)          AS EventName,
  LOGSOURCENAME(logsourceid) AS LogSource
FROM events
WHERE
  (
    LOWER("CommandLine") ILIKE '%invoke-psimage%'
    OR LOWER("CommandLine") ILIKE '%steghide%'
    OR LOWER("CommandLine") ILIKE '%openstego%'
    OR LOWER("CommandLine") ILIKE '%outguess%'
    OR LOWER("CommandLine") ILIKE '%stegdetect%'
    OR (
      (
        LOWER("CommandLine") ILIKE '%.png%'
        OR LOWER("CommandLine") ILIKE '%.jpg%'
        OR LOWER("CommandLine") ILIKE '%.bmp%'
        OR LOWER("CommandLine") ILIKE '%.gif%'
        OR LOWER("CommandLine") ILIKE '%.jpeg%'
      )
      AND
      (
        LOWER("CommandLine") ILIKE '%extract%'
        OR LOWER("CommandLine") ILIKE '%lsb%'
        OR LOWER("CommandLine") ILIKE '%decode%'
        OR LOWER("CommandLine") ILIKE '%steg%'
        OR LOWER("CommandLine") ILIKE '%payload%'
        OR LOWER("CommandLine") ILIKE '%hidden%'
      )
    )
    OR (
      (
        LOWER("TargetFilename") ILIKE '%\\pictures\\%.exe'
        OR LOWER("TargetFilename") ILIKE '%\\downloads\\%.exe'
        OR LOWER("TargetFilename") ILIKE '%\\temp\\%.exe'
        OR LOWER("TargetFilename") ILIKE '%\\pictures\\%.dll'
        OR LOWER("TargetFilename") ILIKE '%\\downloads\\%.dll'
      )
      AND
      (
        LOWER("Image") ILIKE '%chrome.exe'
        OR LOWER("Image") ILIKE '%msedge.exe'
        OR LOWER("Image") ILIKE '%firefox.exe'
        OR LOWER("Image") ILIKE '%iexplore.exe'
        OR LOWER("Image") ILIKE '%explorer.exe'
      )
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

QRadar AQL query detecting steganography tool invocations and image-based payload extraction via Sysmon EventCode 1 (process creation) and EventCode 11 (file creation) custom properties. Identifies known stego utilities by name, image+keyword command-line combinations, and PE/DLL files dropped in user profile directories by browser or shell processes.

Data Sources

IBM QRadar DSM for Microsoft Windows Security Event LogQRadar Sysmon DSM integrationQRadar WinCollect agent

Required Tables

events

False Positives & Tuning

Authorized red team operators running steganography tools on endpoints within scope of an engagement that is logged to QRadar
Image metadata extraction tools used by media production, photojournalism, or publishing workflows that reference decode, extract, or LSB operations against standard image formats
Enterprise patch management or software deployment systems that route installer EXEs through the browser download path into Temp or Downloads before executing

Download portable Sigma rule (.yml)

Other platforms for T1027.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Hide and Extract Payload with Invoke-PSImage
Expected signal: Sysmon Event ID 3: Network connection to raw.githubusercontent.com. Sysmon Event ID 11: stego_test.png created in %TEMP%. PowerShell ScriptBlock Log Event ID 4104: Invoke-PSImage commands and the embedded script. The PNG will have slightly modified pixel values to carry the hidden payload.
Test 2Embed Secret Message in Image using steghide
Expected signal: Sysmon Event ID 1: steghide.exe process creation with 'embed' then 'extract' arguments. Sysmon Event ID 11: stego_output.jpg and extracted_payload.txt created in %TEMP%. The steghide tool name will appear in process command lines.
Test 3Simulate C2 Configuration Retrieval via Steganographic Image
Expected signal: Sysmon Event ID 1: powershell.exe with Invoke-WebRequest to external URL. Sysmon Event ID 3: Network connection to microsoft.com port 443. PowerShell ScriptBlock Log Event ID 4104: the extraction code using bitwise AND on image bytes.
Test 4Detect High-Entropy Data in Image with binwalk
Expected signal: Process execution for dd and binwalk commands. Auditd execve records for both commands. The binwalk output will show signatures of embedded data within the image file.

Last updated: 2026-04-13 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1027.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detect Steganography in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1027.003

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1027.003

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox