← Library
sigmaDRL-1.1from SigmaHQ/sigma

Steganography Hide Files with Steghide

Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1027.003
Rule sourcerules/linux/auditd/execve/lnx_auditd_steghide_embed_steganography.yml
title: Steganography Hide Files with Steghide
id: ce446a9e-30b9-4483-8e38-d2c9ad0a2280
status: test
description: Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
references:
    - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
author: 'Pawel Mazur'
date: 2021-09-11
modified: 2022-10-09
tags:
    - attack.defense-evasion
    - attack.t1027.003
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: EXECVE
        a0: steghide
        a1: embed
        a2:
            - '-cf'
            - '-ef'
        a4:
            - '-cf'
            - '-ef'
    condition: selection
falsepositives:
    - Unknown
level: low
Steganography Hide Files with Steghide · SIGMA rule | DetectionLint