ID | Name |
---|---|
T1001.001 | Junk Data |
T1001.002 | Steganography |
T1001.003 | Protocol Impersonation |
Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.
ID | Name | Description |
---|---|---|
G0001 | Axiom |
Axiom has used steganography to hide its C2 communications.[1] |
S0187 | Daserf |
Daserf can use steganography to hide malicious code downloaded to the victim.[2] |
S0038 | Duqu |
When the Duqu command and control is operating over HTTP or HTTPS, Duqu uploads data to its controller by appending it to a blank JPG file.[3] |
S0037 | HAMMERTOSS |
HAMMERTOSS is controlled via commands that are appended to image files.[4] |
S0395 | LightNeuron |
LightNeuron is controlled via commands that are embedded into PDFs and JPGs using steganographic methods.[5] |
C0023 | Operation Ghost |
During Operation Ghost, APT29 used steganography to hide the communications between the implants and their C&C servers.[6] |
S0495 | RDAT |
RDAT can process steganographic images attached to email messages to send and receive C2 commands. RDAT can also embed additional messages within BMP images to communicate with the RDAT operator.[7] |
S0633 | Sliver |
Sliver can encode binary data into a .PNG file for C2 communication.[8] |
S0559 | SUNBURST |
SUNBURST C2 data attempted to appear as benign XML related to .NET assemblies or as a faux JSON blob.[9][10][11] |
S0230 | ZeroT |
ZeroT has retrieved stage 2 payloads as Bitmap images that use Least Significant Bit (LSB) steganography.[12][13] |
S0672 | Zox |
ID | Mitigation | Description |
---|---|---|
M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0029 | Network Traffic | Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). |