Find sigma rule 
Attack: Data Obfuscation via Steganography
Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.
MITRE
Tactic
- command-and-control
technique
- T1001.002
Test : Steganographic Tarball Embedding
OS
- windows
Description:
This atomic test, named “Steganographic Tarball Embedding”, simulates the technique of data obfuscation via steganography by embedding a tar archive file (tarball) within an image.
The test begins by ensuring the availability of the image file and the tarball file containing data . It then generates random passwords and saves them to a file. Subsequently, the tarball file is created, containing the passwords file. The test executor command reads the contents of the image file and the tarball file as byte arrays and appends them together to form a new image file. This process effectively embeds the tarball file within the image, utilizing steganography techniques for data obfuscation.
This atomic test simulates the technique of data obfuscation via steganography, enabling attackers to clandestinely transfer files across systems undetected. By embedding the tarball file within the image, adversaries can obscure their activities, facilitating covert communication and data exfiltration.
Executor
powershell