Steganography Unzip Hidden Information From Picture File

Aug 12, 2024 · attack.defense-evasion attack.t1027.003 ·

Detects extracting of zip file from image file

Sigma rule (View on GitHub)

 1title: Steganography Unzip Hidden Information From Picture File
 2id: edd595d7-7895-4fa7-acb3-85a18a8772ca
 3status: test
 4description: Detects extracting of zip file from image file
 5references:
 6    - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
 7author: 'Pawel Mazur'
 8date: 2021-09-09
 9modified: 2022-10-09
10tags:
11    - attack.defense-evasion
12    - attack.t1027.003
13logsource:
14    product: linux
15    service: auditd
16detection:
17    commands:
18        type: EXECVE
19        a0: unzip
20    a1:
21        a1|endswith:
22            - '.jpg'
23            - '.png'
24    condition: commands and a1
25falsepositives:
26    - Unknown
27level: low

References

https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/

Read More

Related rules

Findstr Launching .lnk File
Steganography Extract Files with Steghide
Steganography Hide Files with Steghide
Steganography Hide Zip Information in Picture File
AD Object WriteDAC Access