T1027.003: T1027.003

216.73.216.233

View on MITRE ATT&CK The MITRE Corporation · Published 05/02/2020 15:28 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1027.003
Confidence: 100/100
Revoked: No
Published: 05/02/2020 15:28
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Steganography

Platforms

windows macos linux

Description

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files. [Duqu](https://attack.mitre.org/software/S0038) was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu) By the end of 2017, a threat group used `Invoke-PSImage` to hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an image file (.png) and execute the code on a victim's system. In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion