Steganography Extract Files with Steghide
Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
Sigma rule (View on GitHub)
1title: Steganography Extract Files with Steghide
2id: a5a827d9-1bbe-4952-9293-c59d897eb41b
3status: test
4description: Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
5references:
6 - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
7author: 'Pawel Mazur'
8date: 2021/09/11
9modified: 2022/10/09
10tags:
11 - attack.defense_evasion
12 - attack.t1027.003
13logsource:
14 product: linux
15 service: auditd
16detection:
17 selection:
18 type: EXECVE
19 a0: steghide
20 a1: extract
21 a2: '-sf'
22 a3|endswith:
23 - '.jpg'
24 - '.png'
25 condition: selection
26falsepositives:
27 - Unknown
28level: low
References
Related rules
- Steganography Hide Zip Information in Picture File
- Steganography Unzip Hidden Information From Picture File
- Hidden Files and Directories
- Potential DLL Injection Or Execution Using Tracker.exe
- Mshta Executing from Registry