Merge pull request #2018 from zakibro/master

New Linux Auditd Rules - Steghide Steganography
2021-09-12 08:29:56 +02:00
parent 92999468ee 6412ddaaee
commit dc5c26ad2d
2 changed files with 58 additions and 0 deletions
@@ -0,0 +1,30 @@
+title: Steganography Hide Files with Steghide
+id: ce446a9e-30b9-4483-8e38-d2c9ad0a2280
+description: Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
+author: 'Pawel Mazur'
+status: experimental
+date: 2021/09/11
+references:
+   - https://attack.mitre.org/techniques/T1027/003/
+   - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
+tags:
+   - attack.defense_evasion
+   - attack.t1027.003
+falsepositives:
+   - None
+level: low
+logsource:
+   product: linux
+   service: auditd
+detection:
+   Steghide:
+       type: EXECVE
+       a0: steghide
+       a1: embed
+       a2:
+         - '-cf'
+         - '-ef'
+       a4:
+         - '-cf'
+         - '-ef'
+   condition: Steghide
@@ -0,0 +1,28 @@
+title: Steganography Extract Files with Steghide
+id: a5a827d9-1bbe-4952-9293-c59d897eb41b
+description: Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
+author: 'Pawel Mazur'
+status: experimental
+date: 2021/09/11
+references:
+   - https://attack.mitre.org/techniques/T1027/003/
+   - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
+tags:
+   - attack.defense_evasion
+   - attack.t1027.003
+falsepositives:
+   - None
+level: low
+logsource:
+   product: linux
+   service: auditd
+detection:
+   Steghide: 
+       type: EXECVE
+       a0: steghide
+       a1: extract
+       a2: '-sf'
+       a3|endswith:
+         - '.jpg'
+         - '.png'
+   condition: Steghide