Home/ATT&CK Technique/Steganography
ATT&CK Technique

Steganography

T1027.003 · stealth

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files. Duqu was an early example of malware that used steganography.

It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server. By the end of 2017, a threat group used Invoke-PSImage to hide PowerShell commands in an image file (.png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.

LinuxmacOSWindows

Actors Using This

12
russiaAPT29
russiaCloud Atlas
north_koreaContagious Interview
us_israel_joint_offensive_cyber_speculationDuqu / Duqu 2.0
russia_speaking_organized_cybercrimeIcedID / BokBot Operators (Lunar Spider)
latin_america_brazilian_organized_cybercrimeNumando
indiaSideWinder
us_israel_joint_offensive_cyberStuxnet
chinaTick
chinaTropic Trooper
financially_motivated_italy_based_criminal_mandiant_medium_confidence_unc4990UNC4990 (Italy USB Cryptojacking Operator)
chinaWorok

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
reconnaissance same
T1589 · Gather Victim Identity Information ×2.38
execution same
T1559.001 · Component Object Model ×3.61
privilege-escalation same
T1546 · Event Triggered Execution ×2.54
credential-access same
T1003.002 · Security Account Manager ×2.42
discovery same
T1497.003 · Time Based Checks ×3.45T1497.001 · System Checks ×2.53
lateral-movement same
T1091 · Replication Through Removable Media ×3.97
collection same
T1185 · Browser Session Hijacking ×2.83
command-and-control same
T1001.002 · Steganography ×13.22T1001 · Data Obfuscation ×8.81T1102.001 · Dead Drop Resolver ×2.20
other same
T1027.009 · Embedded Payloads ×8.50T1218.010 · Regsvr32 ×3.97T1480 · Execution Guardrails ×2.83T1027.010 · Command Obfuscation ×2.64

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 5
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin