diff --git a/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml
new file mode 100644
index 000000000..584003dcc
--- /dev/null
+++ b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml
@@ -0,0 +1,30 @@
+title: Steganography Hide Files with Steghide
+id: ce446a9e-30b9-4483-8e38-d2c9ad0a2280
+description: Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
+author: 'Pawel Mazur'
+status: experimental
+date: 2021/09/11
+references:
+   - https://attack.mitre.org/techniques/T1027/003/
+   - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
+tags:
+   - attack.defense_evasion
+   - attack.t1027.003
+falsepositives:
+   - None
+level: low
+logsource:
+   product: linux
+   service: auditd
+detection:
+   Steghide:
+       type: EXECVE
+       a0: steghide
+       a1: embed
+       a2:
+         - '-cf'
+         - '-ef'
+       a4:
+         - '-cf'
+         - '-ef'
+   condition: Steghide
diff --git a/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml
new file mode 100644
index 000000000..87fe4c423
--- /dev/null
+++ b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml
@@ -0,0 +1,28 @@
+title: Steganography Extract Files with Steghide
+id: a5a827d9-1bbe-4952-9293-c59d897eb41b
+description: Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
+author: 'Pawel Mazur'
+status: experimental
+date: 2021/09/11
+references:
+   - https://attack.mitre.org/techniques/T1027/003/
+   - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
+tags:
+   - attack.defense_evasion
+   - attack.t1027.003
+falsepositives:
+   - None
+level: low
+logsource:
+   product: linux
+   service: auditd
+detection:
+   Steghide: 
+       type: EXECVE
+       a0: steghide
+       a1: extract
+       a2: '-sf'
+       a3|endswith:
+         - '.jpg'
+         - '.png'
+   condition: Steghide