T1027.003 Sumo Logic CSE · Sumo

Detect Steganography in Sumo Logic CSE

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files. Adversaries commonly hide malicious payloads within PNG, BMP, JPG, and GIF files, often extracting PE executables or shellcode at runtime using LSB (Least Significant Bit) manipulation or custom XOR-based extraction. Threat actors including APT37, APT29, Andariel, Tropic Trooper, BRONZE BUTLER, and MuddyWater have used steganography to hide C2 configurations, shellcode, and full malware payloads within seemingly benign images.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.003 Steganography
Canonical reference
https://attack.mitre.org/techniques/T1027/003/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="windows/sysmon" OR _sourceCategory="Windows/Sysmon" OR _sourceCategory="os/windows")
| where EventID = "1" OR EventID = "11"
| eval cmdline     = toLowerCase(CommandLine)
| eval targetfile  = toLowerCase(TargetFilename)
| eval procimg     = toLowerCase(Image)
| eval IsStegoTool = if (
    cmdline matches "(?i).*(invoke-psimage|steghide|openstego|outguess|stegdetect).*",
    1, 0)
| eval IsImageExtract = if (
    (cmdline matches "(?i).*\.(png|jpg|jpeg|bmp|gif|tiff).*")
    AND (cmdline matches "(?i).*(extract|lsb|decode|steg|hidden|payload).*"),
    1, 0)
| eval IsBrowserExeDrop = if (
    EventID = "11"
    AND (targetfile matches "(?i).*\\(pictures|downloads|temp)\\.*\.(exe|dll)$")
    AND (procimg matches "(?i).*(chrome|msedge|iexplore|firefox|explorer)\.exe.*"),
    1, 0)
| where IsStegoTool = 1 OR IsImageExtract = 1 OR IsBrowserExeDrop = 1
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, TargetFilename, IsStegoTool, IsImageExtract, IsBrowserExeDrop
| sort by _messageTime desc
high severity medium confidence

Sumo Logic query detecting steganography tool execution and image-based payload extraction using Sysmon EventID 1 (process creation) and EventID 11 (file creation). Classifies each match by detection type: known tool invocation (IsStegoTool), image-file extraction command pattern (IsImageExtract), or browser-originated PE/DLL drop in a user-accessible directory (IsBrowserExeDrop).

Data Sources

Sumo Logic Installed Collector with Windows Event Log source (Sysmon Operational channel)Sumo Logic Cloud Syslog for Windows endpoints

Required Tables

windows/sysmon source categoryos/windows source category

False Positives & Tuning

  • Penetration testers or purple team operators running steghide, outguess, or invoke-psimage on Sumo-monitored endpoints during scoped exercises
  • Forensic and incident response toolkits (e.g., KAPE triage, Autopsy forensic suite) that perform LSB or decode operations against image files as part of artifact collection
  • Software deployment workflows where browsers download and stage installers in Downloads or Temp before a deployment management agent moves them; EXE appears in a user directory but is legitimately signed
Download portable Sigma rule (.yml)

Other platforms for T1027.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Hide and Extract Payload with Invoke-PSImage

    Expected signal: Sysmon Event ID 3: Network connection to raw.githubusercontent.com. Sysmon Event ID 11: stego_test.png created in %TEMP%. PowerShell ScriptBlock Log Event ID 4104: Invoke-PSImage commands and the embedded script. The PNG will have slightly modified pixel values to carry the hidden payload.

  2. Test 2Embed Secret Message in Image using steghide

    Expected signal: Sysmon Event ID 1: steghide.exe process creation with 'embed' then 'extract' arguments. Sysmon Event ID 11: stego_output.jpg and extracted_payload.txt created in %TEMP%. The steghide tool name will appear in process command lines.

  3. Test 3Simulate C2 Configuration Retrieval via Steganographic Image

    Expected signal: Sysmon Event ID 1: powershell.exe with Invoke-WebRequest to external URL. Sysmon Event ID 3: Network connection to microsoft.com port 443. PowerShell ScriptBlock Log Event ID 4104: the extraction code using bitwise AND on image bytes.

  4. Test 4Detect High-Entropy Data in Image with binwalk

    Expected signal: Process execution for dd and binwalk commands. Auditd execve records for both commands. The binwalk output will show signatures of embedded data within the image file.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1027.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Related Techniques

T1027Obfuscated Files or InformationT1027.009Embedded PayloadsT1027.013Encrypted/Encoded FileT1059.001PowerShellT1566.001Spearphishing AttachmentT1102Web ServiceT1571Non-Standard Port

Same Tactic: Defense Evasion

Popular Detections