Steganography Hide Zip Information in Picture File
Detects appending of zip file to image
Sigma rule (View on GitHub)
1title: Steganography Hide Zip Information in Picture File
2id: 45810b50-7edc-42ca-813b-bdac02fb946b
3status: test
4description: Detects appending of zip file to image
5references:
6 - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
7author: 'Pawel Mazur'
8date: 2021/09/09
9modified: 2022/10/09
10tags:
11 - attack.defense_evasion
12 - attack.t1027.003
13logsource:
14 product: linux
15 service: auditd
16detection:
17 commands:
18 type: EXECVE
19 a0: cat
20 a1:
21 a1|endswith:
22 - '.jpg'
23 - '.png'
24 a2:
25 a2|endswith: '.zip'
26 condition: commands and a1 and a2
27falsepositives:
28 - Unknown
29level: low
References
Related rules
- Steganography Extract Files with Steghide
- Steganography Unzip Hidden Information From Picture File
- Hidden Files and Directories
- Potential DLL Injection Or Execution Using Tracker.exe
- Mshta Executing from Registry