title: Steganography (T1027.003)
id: df00tech-t1027-003
status: experimental
description: "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files. Adversaries commonly hide malicious payloads within PNG, BMP, JPG, and GIF files, often extracting PE executables or shellcode at runtime using LSB (Least Significant Bit) manipulation or custom XOR-based extraction. Threat actors including APT37, APT29, Andariel, Tropic Trooper, BRONZE BUTLER, and MuddyWater have used steganography to hide C2 configurations, shellcode, and full malware payloads within seemingly benign images."
references:
  - https://attack.mitre.org/techniques/T1027/003/
  - https://df00tech.com/detections/T1027.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1027.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate digital forensics and watermarking tools that use steganography for authorized use cases
  - Security researchers running steganography analysis tools on their workstations
  - Browsers dropping legitimate executable installers to Downloads or Pictures folders
  - Digital rights management (DRM) tools that use watermarking techniques similar to steganography
level: high