Description
Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.
Platforms
Mitigations (1)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0001 | Axiom | [Axiom](https://attack.mitre.org/groups/G0001) has used steganography to hide its C2 communications.(Citation: Novetta-Axiom) |
Associated Software (11)
| ID | Name | Type | Context |
|---|---|---|---|
| S1141 | LunarWeb | Malware | [LunarWeb](https://attack.mitre.org/software/S1141) can receive C2 commands hidden in the structure of .jpg and .gif images.(Citation: ESET Turla Luna... |
| S0037 | HAMMERTOSS | Malware | [HAMMERTOSS](https://attack.mitre.org/software/S0037) is controlled via commands that are appended to image files.(Citation: FireEye APT29) |
| S0633 | Sliver | Tool | [Sliver](https://attack.mitre.org/software/S0633) can encode binary data into a .PNG file for C2 communication.(Citation: GitHub Sliver HTTP) |
| S0672 | Zox | Malware | [Zox](https://attack.mitre.org/software/S0672) has used the .PNG file format for C2 communications.(Citation: Novetta-Axiom) |
| S0395 | LightNeuron | Malware | [LightNeuron](https://attack.mitre.org/software/S0395) is controlled via commands that are embedded into PDFs and JPGs using steganographic methods.(C... |
| S0230 | ZeroT | Malware | [ZeroT](https://attack.mitre.org/software/S0230) has retrieved stage 2 payloads as Bitmap images that use Least Significant Bit (LSB) steganography.(C... |
| S0187 | Daserf | Malware | [Daserf](https://attack.mitre.org/software/S0187) can use steganography to hide malicious code downloaded to the victim.(Citation: Trend Micro Daserf ... |
| S0495 | RDAT | Malware | [RDAT](https://attack.mitre.org/software/S0495) can process steganographic images attached to email messages to send and receive C2 commands. [RDAT](h... |
| S1142 | LunarMail | Malware | [LunarMail](https://attack.mitre.org/software/S1142) can parse IDAT chunks from .png files to look for zlib-compressed and AES encrypted C2 commands.(... |
| S0038 | Duqu | Malware | When the [Duqu](https://attack.mitre.org/software/S0038) command and control is operating over HTTP or HTTPS, Duqu uploads data to its controller by a... |
| S0559 | SUNBURST | Malware | [SUNBURST](https://attack.mitre.org/software/S0559) C2 data attempted to appear as benign XML related to .NET assemblies or as a faux JSON blob.(Citat... |
References
Frequently Asked Questions
What is T1001.002 (Steganography)?
T1001.002 is a MITRE ATT&CK technique named 'Steganography'. It belongs to the Command and Control tactic(s). Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that...
How can T1001.002 be detected?
Detection of T1001.002 (Steganography) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1001.002?
There are 1 documented mitigations for T1001.002. Key mitigations include: Network Intrusion Prevention.
Which threat groups use T1001.002?
Known threat groups using T1001.002 include: Axiom.