Home/ATT&CK Technique/Steganography
ATT&CK Technique

Steganography

T1001.002 · command-and-control

Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems.

In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.

LinuxmacOSWindowsESXi

Actors Using This

6
north_koreaAndariel
russiaAPT29
us_israel_joint_offensive_cyber_speculationDuqu / Duqu 2.0
chinaTropic Trooper
russiaTurla
chinaWorok

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
reconnaissance earlier
T1589 · Gather Victim Identity Information ×4.76
resource-development earlier
T1584.006 · Web Services ×5.95
execution earlier
T1059.006 · Python ×3.97T1047 · Windows Management Instrumentation ×2.83
privilege-escalation earlier
T1546 · Event Triggered Execution ×5.09
credential-access earlier
T1003.002 · Security Account Manager ×3.87
discovery earlier
T1012 · Query Registry ×2.78
collection earlier
T1114.002 · Remote Email Collection ×3.61T1114.001 · Local Email Collection ×2.99
command-and-control same
T1001 · Data Obfuscation ×26.44T1071.003 · Mail Protocols ×4.76
exfiltration later
T1029 · Scheduled Transfer ×2.87
other same
T1027.003 · Steganography ×13.22T1027.010 · Command Obfuscation ×5.29T1070.006 · Timestomp ×4.10

Atomic Tests

3
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
powershellelevatedwindowsSteganographic Tarball Embedding
This atomic test, named "Steganographic Tarball Embedding", simulates the technique of data obfuscation via steganography by embedding a tar archive file (tarball) within an image. The test begins by ensuring the availability of the image file and the tarball file containing data . It then generates random passwords and saves them to a file. Subsequently, the tarball file is created, containing the passwords file. The test executor command reads the contents of the image file and the tarball file as byte arrays and appends them together to form a new image file. This process effectively embeds the tarball file within the image, utilizing steganography techniques for data obfuscation. This atomic test simulates the technique of data obfuscation via steganography, enabling attackers to clandestinely transfer files across systems undetected. By embedding the tarball file within the image, adversaries can obscure their activities, facilitating covert communication and data exfiltration. 
Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount 0 | Set-Content "#{new_image_file}" -Encoding byte
powershellelevatedwindowsEmbedded Script in Image Execution via Extract-Invoke-PSImage
This atomic test demonstrates the technique of data obfuscation via steganography, where a PowerShell script is concealed within an image file. The PowerShell script is embedded using steganography techniques, making it undetectable by traditional security measures. The script is hidden within the pixels of the image, enabling attackers to covertly transfer and execute malicious code across systems. The test begins by ensuring the availability of the malicious image file and the Extract-Invoke-PSImage script. The test proceeds to extract the hidden PowerShell script (decoded.ps1) from the image file using the Extract-Invoke-PSImage tool. The extracted script is then decoded from base64 encoding and saved as a separate PowerShell (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed. In the case of this atomic test, the malicious image file which is downloaded has the powershell command Start-Process notepad embedded within in base64. This is done to emulate an attackers behaviour in the case they were to execute malware embedded within the image file. 
cd "PathToAtomicsFolder\ExternalPayloads\"
Import-Module .\Extract-Invoke-PSImage.ps1
$extractedScript=Extract-Invoke-PSImage -Image "#{image_file}" -Out "$HOME\result.ps1"
$scriptContent = Get-Content "$HOME\result.ps1" -Raw
$base64Pattern = "(?<=^|[^A-Za-z0-9+/])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}(==)?|[A-Za-z0-9+/]{3}=)?(?=$|[^A-Za-z0-9+/])"
$base64Strings = [regex]::Matches($scriptContent, $base64Pattern) | ForEach-Object { $_.Value }
$base64Strings | Set-Content "$HOME\decoded.ps1"
$decodedContent = Get-Content "$HOME\decoded.ps1" -Raw
$decodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($decodedContent))
$textPattern = '^.+'  
$textMatches = [regex]::Matches($decodedText, $textPattern) | ForEach-Object { $_.Value }
$scriptPath = "$HOME\textExtraction.ps1"
$textMatches -join '' | Set-Content -Path $scriptPath
. "$HOME\textExtraction.ps1"
shlinuxExecute Embedded Script in Image via Steganography
This atomic test demonstrates the execution of an embedded script in an image file using steganography techniques. The script is first encoded in base64 and then embedded within the pixels of the image. The modified image is created, and the script is extracted and executed on the target system.
cat "#{script}" | base64 | xxd -p | sed 's/../& /g' | xargs -n1 | xxd -r -p | cat "#{image}" - > "#{evil_image}"; strings "#{evil_image}" | tail -n 1 | base64 -d | sh

Mitigations

1
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1031Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Detection Coverage

0/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) none
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53AC-04, CA-07, CM-02, CM-06, SC-07, SI-03, SI-04
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin