Data Hiding

Certain types of traffic (e.g., DNS tunneling, header inject) allow for user-defined fields. These fields can then be used to hide data. In addition to hiding data in network protocols, steganography techniques can be used to hide data in images or other file formats. Detection can be difficult unless a particular signature is already known. [1] [2] [3]

ID: T1320
Sub-techniques:  No sub-techniques
Tactic: Adversary Opsec
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018


Detectable by Common Defenses (Yes/No/Partial): Yes

Explanation: Unless defender is dissecting protocols or performing network signature analysis on any protocol deviations/patterns, this technique is largely undetected.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): No

Explanation: This technique requires a more advanced protocol understanding and testing to insert covert communication into legitimate protocol fields.


  1. Christian J. Dietrich, Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten van Steen, Norbert Pohlmann. (2011). On Botnets that use DNS for Command and Control. Retrieved March 6, 2017.
  2. FireEye. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved March 6, 2017.
  1. Alexey Shulmi and Sergey Yunakovsky. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved May 9, 2017.