- Home
- Correlation Rule Library
- Steganography Malware Creation
Steganography Malware Creation
Rule added on 30th May, 2024In this page
Rule type:
Correlation
Rule description:
Stenography is the technique of concealing secret data within an ordinary message such as file, message, image, audio tracks, and video. Attackers may use this practice to their advantage where they may embed malicious code or data within a harmless file such as images or documents.
Attack chain scenario: Malicious file upload -> Steganography-embedded malware -> Data breach
Impact:
It can be used by adversaries in the following ways:
- Malware deployment
- Creating backdoors for further attacks
- Compromise of sensitive data
Data source:
Windows > Process Creation
Required configuration: The rule is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.
Relevant MITRE ATT&CK techniques and tactics:
Tactic: TA0005- Defense Evasion
Technique: T1027- Obfuscated Files or Information
Sub Techniques: T1027.003- Steganography
Criteria:
( ( FileName = ":" ) ) AND ( ( Process Name = "regini.exe" ) OR ( Process Name endswith "reg.exe" ) OR ( Process Name endswith "print.exe" ) OR ( Process Name endswith "mpcmdrun.exe" ) OR ( Process Name endswith "makecab.exe" ) OR ( Process Name endswith "findstr.exe" ) OR ( Process Name endswith "extrac32.exe" ) OR ( Process Name endswith "expand.exe" ) OR ( Process Name endswith "diantz.exe" ) OR ( Process Name endswith "msxsl.exe" ) OR ( ORIGINALFILENAME contains "regini.exe" ) OR ( ORIGINALFILENAME contains "reg" ) OR ( ORIGINALFILENAME contains "print" ) OR ( ORIGINALFILENAME contains "mpcmdrun" ) OR ( ORIGINALFILENAME contains "makecab" ) OR ( ORIGINALFILENAME contains "findstr" ) OR ( ORIGINALFILENAME contains "extrac32" ) OR ( ORIGINALFILENAME contains "expand" ) OR ( ORIGINALFILENAME contains "diantz" ) OR ( ORIGINALFILENAME contains "msxsl" ) )
Attackers may use several command-line tools such as regini.exe, mpcmdrun.exe, expand.exe, extrac32.exe and more, as part of the the steganography malware creation process to embed malicious payloads within harmless files.
When to enable this rule:
Security standards (NIST CSF 2.0):
Enabling this rule will help you meet the security standards' requirements listed below:
This rule detects the creation of malware using steganography, which involves concealing malicious code or data within seemingly innocuous files such as images or documents.
PR.PS-05: Installation and execution of unauthorized software are prevented
When this rule is triggered, you're notified the creation of malware using steganography. This enables you to take prompt action by executing workflows to stop the malicious process and place stronger access control measures.
Known false positives: Complex media files with unusual compression: encrypted and heavily compressed files may lead to false positives.
Next steps:
When this alert is triggered, the following measures can be implemented:
- Identification: Identify if the alert is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
- Response: Respond promptly by initiating an automated workflow to cease the malicious process.
- Implement file integrity monitoring (FIM): Use FIM tools to monitor actions such as change in file size.
