[T1001.002 ] Data Obfuscation: Steganography – Adversaries hide command-and-control or exfiltrated data inside benign-looking files (images, documents, audio) to evade detection and blend with normal traffic. Monitoring unusual file transfers and inspecting content can reveal hidden channels. #Steganography #DataObfuscation
Keypoints
- Steganography hides data inside file carriers like images and documents to avoid signature-based detection.
- Attackers can embed C2 instructions or payloads in benign files and deliver them via email, web, or file shares.
- Network anomalies such as unexpected upload volumes or irregular protocol usage suggest steganographic channels.
- Detection uses content inspection, entropy analysis, and file-format validation to find manipulated files.
- Platforms affected include Windows, Linux, macOS, and ESXi, requiring cross-platform monitoring and controls.
Description:
- Like a secret note written in invisible ink hidden inside a postcard, steganography conceals malicious messages inside ordinary files so they appear harmless to casual observers.
- Attackers embed hidden data within digital carriers (images, documents, audio) and transfer those files to communicate with or control compromised systems; this enables covert C2, data exfiltration, and reduces the chance of detection by blending with normal traffic.
Detection:
- Use network content inspection tools (IDS/IPS, next-gen firewalls) to flag files with unexpected payloads or abnormal MIME types for the protocol in use.
- Monitor network flows for asymmetric traffic patterns, such as clients sending far more data than received, and alert on sudden volume spikes from endpoints.
- Perform entropy and statistical analysis on transferred files; unusually high or low entropy in images or documents can indicate embedded data.
- Validate file headers and structure with file-format parsers; discrepancies between header metadata and actual content suggest tampering.
- Log and baseline process network behavior; flag processes that normally do not network-communicate or new/unexpected binaries initiating transfers.
- Correlate email and web gateway logs with endpoint file writes; block or sandbox suspicious attachments and inspect extracted contents for steganographic markers.
- Use threat intelligence and YARA-like rules to detect known steganography tool signatures; combine with sandboxing and manual analysis to reduce false positives.
Tactics:
Command and Control
Platforms:
ESXi, Linux, Windows, macOS
Data Sources:
Network Traffic: Network Traffic Content
Relationship Citations:
(Citation: ESET Dukes October 2019),(Citation: FireEye SUNBURST Additional Details Dec 2020),(Citation: Symantec Sunburst Sending Data January 2021),(Citation: GitHub Sliver HTTP),(Citation: Novetta-Axiom),(Citation: Symantec W32.Duqu),(Citation: FireEye APT29),(Citation: Unit42 RDAT July 2020),(Citation: Trend Micro Daserf Nov 2017),(Citation: FireEye SUNBURST Backdoor December 2020),(Citation: ESET Turla Lunar toolset May 2024),(Citation: Proofpoint TA459 April 2017),(Citation: Proofpoint ZeroT Feb 2017),(Citation: ESET LightNeuron May 2019),