| ID | Name |
|---|---|
| T1406.001 | Steganography |
| T1406.002 | Software Packing |
Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.
| ID | Name | Description |
|---|---|---|
| S0440 | Agent Smith |
Agent Smith’s core malware is disguised as a JPG file, and encrypted with an XOR cipher.[1] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0677 | Detection of Steganography | AN1780 |
Defender correlates an app's opaque media ingress (download/IPC) with high-entropy or anomalous edits to image/audio/video files in app-writable storage (e.g., bursts of bitmap/codec operations, EXIF/IPTC/XMP mutation, suspicious container growth), followed by decoding/extraction behavior (new non-media artifact derived from the edited media) and optional exfiltration/sharing of the stego media. Focus is on: (1) opaque media arrival → (2) rapid metadata or pixel-domain mutations with atypical size/entropy deltas → (3a) decoded payload creation or dynamic load from decoded path, and/or (3b) upload/share of the modified media within a tight window. |