From 89f15c01f9a4b9827af0602505e8675e9179418d Mon Sep 17 00:00:00 2001
From: Pawel Mazur <pawelmazur835@gmail.com>
Date: Sat, 11 Sep 2021 10:56:17 +0200
Subject: [PATCH 1/3] New Linux Auditd Rules - Steghide Steganography

---
 ...nx_auditd_steghide_embed_steganography.yml | 33 +++++++++++++++++++
 ..._auditd_steghide_extract_steganography.yml | 31 +++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml
 create mode 100644 rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml

diff --git a/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml
new file mode 100644
index 000000000..36a83f675
--- /dev/null
+++ b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml
@@ -0,0 +1,33 @@
+title: Steganography Hide Files with Steghide
+id: ce446a9e-30b9-4483-8e38-d2c9ad0a2280
+description: Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
+author: 'Pawel Mazur'
+status: experimental
+date: 2021/09/11
+references:
+   - https://attack.mitre.org/techniques/T1027/003/
+   - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
+tags:
+   - attack.defense_evasion
+   - attack.t1027.003
+falsepositives:
+   - None
+level: low
+logsource:
+   product: linux
+   service: auditd
+detection:
+   type: 
+       type: EXECVE
+   commands:
+       a0: steghide
+       a1: embed
+   a2:
+       a2:
+         - '-cf'
+         - '-ef'
+   a4:
+       a4:
+         - '-cf'
+         - '-ef'
+   condition: type and commands and a2 and a4
diff --git a/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml
new file mode 100644
index 000000000..22c6dd1f5
--- /dev/null
+++ b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml
@@ -0,0 +1,31 @@
+title: Steganography Extract Files with Steghide
+id: a5a827d9-1bbe-4952-9293-c59d897eb41b
+description: Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
+author: 'Pawel Mazur'
+status: experimental
+date: 2021/09/11
+references:
+   - https://attack.mitre.org/techniques/T1027/003/
+   - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
+tags:
+   - attack.defense_evasion
+   - attack.t1027.003
+falsepositives:
+   - None
+level: low
+logsource:
+   product: linux
+   service: auditd
+detection:
+   type: 
+       type: EXECVE
+   commands:
+       a0: steghide
+       a1: extract
+   a2:
+       a2: '-sf'
+   a3:
+       a3|endswith:
+         - '.jpg'
+         - '.png'
+   condition: type and commands and a2 and a3

From d0741f9f3a80fa6c0627b3834c4b8ccde50a1485 Mon Sep 17 00:00:00 2001
From: zakibro <48967550+zakibro@users.noreply.github.com>
Date: Sat, 11 Sep 2021 11:18:08 +0200
Subject: [PATCH 2/3] Update lnx_auditd_steghide_embed_steganography.yml

Formatting and detection changes
---
 .../auditd/lnx_auditd_steghide_embed_steganography.yml     | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml
index 36a83f675..584003dcc 100644
--- a/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml
+++ b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml
@@ -17,17 +17,14 @@ logsource:
    product: linux
    service: auditd
 detection:
-   type: 
+   Steghide:
        type: EXECVE
-   commands:
        a0: steghide
        a1: embed
-   a2:
        a2:
          - '-cf'
          - '-ef'
-   a4:
        a4:
          - '-cf'
          - '-ef'
-   condition: type and commands and a2 and a4
+   condition: Steghide

From 6412ddaaee6f4b175f65037c82558473dc83d0d6 Mon Sep 17 00:00:00 2001
From: zakibro <48967550+zakibro@users.noreply.github.com>
Date: Sat, 11 Sep 2021 11:19:21 +0200
Subject: [PATCH 3/3] Update lnx_auditd_steghide_extract_steganography.yml

---
 .../auditd/lnx_auditd_steghide_extract_steganography.yml   | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml
index 22c6dd1f5..87fe4c423 100644
--- a/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml
+++ b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml
@@ -17,15 +17,12 @@ logsource:
    product: linux
    service: auditd
 detection:
-   type: 
+   Steghide: 
        type: EXECVE
-   commands:
        a0: steghide
        a1: extract
-   a2:
        a2: '-sf'
-   a3:
        a3|endswith:
          - '.jpg'
          - '.png'
-   condition: type and commands and a2 and a3
+   condition: Steghide