Find sigma rule 
Attack: Data Obfuscation via Steganography
Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.
MITRE
Tactic
- command-and-control
technique
- T1001.002
Test : Embedded Script in Image Execution via Extract-Invoke-PSImage
OS
- windows
Description:
This atomic test demonstrates the technique of data obfuscation via steganography, where a PowerShell script is concealed within an image file. The PowerShell script is embedded using steganography techniques, making it undetectable by traditional security measures. The script is hidden within the pixels of the image, enabling attackers to covertly transfer and execute malicious code across systems.
The test begins by ensuring the availability of the malicious image file and the Extract-Invoke-PSImage script. The test proceeds to extract the hidden PowerShell script (decoded.ps1) from the image file using the Extract-Invoke-PSImage tool. The extracted script is then decoded from base64 encoding and saved as a separate PowerShell (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed.
In the case of this atomic test, the malicious image file which is downloaded has the powershell command Start-Process notepad embedded within in base64. This is done to emulate an attackers behaviour in the case they were to execute malware embedded within the image file.
Executor
powershell