title: Steganography (T1001.002)
id: df00tech-t1001-002
status: experimental
description: "Adversaries may use steganographic techniques to hide command and control traffic within digital media files (images, PDFs, etc.) to evade detection. Commands or data can be embedded in image files (JPG, PNG, GIF, BMP) or documents using techniques such as Least Significant Bit (LSB) encoding, appending data after EOF markers, or hiding data in file format metadata and structures (e.g., IDAT chunks in PNG). Real-world malware including HAMMERTOSS, LunarWeb, LunarMail, ZeroT, LightNeuron, RDAT, Duqu, and Sliver have leveraged steganographic C2 channels. Detection focuses on process behavior (tools that process or download image files with unusual patterns), network anomalies (HTTP traffic downloading image files at regular intervals with response size variance), and file system indicators (known steganography utilities being executed)."
references:
  - https://attack.mitre.org/techniques/T1001/002/
  - https://df00tech.com/detections/T1001.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1001.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate graphic design or photography software that uses image processing libraries referencing pixel manipulation functions like GetPixel/SetPixel
  - Security researchers or penetration testers running steganography analysis tools in lab environments
  - Digital watermarking software used by media organizations to embed copyright information in images
  - "Forensics tools (e.g., Autopsy plugins) that analyze image files for hidden content during incident response"
  - Python machine learning or computer vision scripts using PIL/Pillow that process image pixel data
level: high