Skip to content

DET0235 Detecting Steganographic Command and Control via File + Network Correlation

Item Value
ID DET0235
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1001.002 (Steganography)

Analytics

Windows

AN0651

Detect the creation or modification of common media file formats (e.g., .jpg, .png, .wav) following suspicious process activity like compression or encryption, especially when paired with lateral movement or exfiltration behavior.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Network Traffic Content (DC0085) NSM:Flow Session Transfer Content
Mutable Elements
Field Description
FileExtensionFilter Allows tuning of monitored file types (e.g., .jpg, .png, .docx).
PayloadEntropyThreshold Threshold for flagging potential hidden data in outbound payloads.
ExecutionToExfilTimeWindow Time window between media creation and network transmission.

Linux

AN0652

Unusual use of steganographic or media processing binaries (e.g., steghide, ffmpeg, imagemagick) followed by outbound communication to external IPs with high data output and media MIME types.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Network Traffic Content (DC0085) NSM:Flow Captured File Content
File Metadata (DC0059) NSM:Flow Observed File Transfers
Mutable Elements
Field Description
ToolNameMatch Specify which binaries to monitor (e.g., steghide, outguess).
OutboundTrafficPattern Adjust based on known normal file upload services.

macOS

AN0653

Abnormal usage of Preview, ImageMagick, or binary editors to alter images/documents, followed by exfiltration or outbound connections with mismatched file MIME types or payload structure.

Log Sources
Data Component Name Channel
File Creation (DC0039) macos:unifiedlog File creation
Process Creation (DC0032) macos:osquery process_events
Network Traffic Content (DC0085) NSM:Flow C2 exfiltration
Mutable Elements
Field Description
ParentProcessBaseline Allow tuning based on expected apps calling image-editing tools.
TimeDelta Gap between file manipulation and outbound connection.

ESXi

AN0654

Suspicious modification of file artifacts (e.g., logs, ISO templates) on ESXi datastores, followed by beaconing or POST operations to external IPs potentially hiding payloads in file-like traffic.

Log Sources
Data Component Name Channel
File Metadata (DC0059) esxi:vmkernel Storage access and file ops
Network Connection Creation (DC0082) esxi:hostd Service initiated connections
Network Traffic Content (DC0085) NSM:Flow Transferred file observations
Mutable Elements
Field Description
FilenamePattern Tune for likely stego file names (e.g., wallpaper.jpg, template.iso).
UnusualDestinationIP Destination outside vCenter management subnet.