System Hacking: Covert Operations and Persistence
Apply antiforensics, steganography, LotL, and OPSEC to minimize detection while preserving ethics.
Content
Steganalysis and Detection Signals
Versions:
Watch & Learn
AI-discovered learning video
Sign in to watch the learning video for this topic.
Steganalysis and Detection Signals — Finding the Hidden Stuff
"Steganography is the art of whispering in a crowded room. Steganalysis is yelling, listening to the echoes, and noticing the person who keeps oddly chewing gum." — Your friendly, slightly manic TA
You already learned the what and why of steganography in System Hacking: Covert Operations and Persistence (we covered common carriers, LSB tricks, and why attackers love images and benign documents). You also studied EDR-aware tradecraft and hardening strategies. Now we flip the script: how do defenders spot the whispers in that crowded room? This guide is your detective kit — statistical signals, forensic artifacts, tooling, and practical detection rules to find stego and covert channels used for persistence and C2.
Why detection is a different beast
- Attackers can hide payloads in mundane files (images, audio, MS Office docs) and in seemingly normal network flows (DNS, HTTP, timing channels).
- Many stego techniques look benign at first glance. You won't always see a binary that screams "malware." Instead you see slightly off metadata, odd entropy, unusual access patterns, or timing anomalies.
- EDR/behavioral telemetry helps — but stego detection often needs cross-layer correlation: filesystem + memory + network + metadata.
Think of it as hunting a pickpocket who learned to sew the stolen wallet back into the coat. You can't rely on one sensor; you need patterns.
The core detection signals (what to look for)
1) File-level signals
- Unusual entropy patterns: stego payloads (especially encrypted/compressed) increase entropy in parts of a carrier. Look for images with segments of unexpectedly high entropy.
- Embedding artifacts: LSB changes, color distribution anomalies, or noise patterns inconsistent with a camera or encoder.
- Metadata/customer anomalies: strange EXIF, last-modified times that don't match user behavior, or inconsistent creators/authors in documents.
- Size vs content mismatch: large PNG/JPEG with tiny visual differences, or a harmless document that’s suspiciously large.
Tools/commands:
# entropy per file
python -c "import math,sys; data=open(sys.argv[1],'rb').read(); print('entropy', -sum([p*math.log(p,2) for p in __import__('collections').Counter(data).values()])/len(data))" file.jpg
# exif metadata
exiftool suspicious.jpg
# basic steg tools
stegseek suspicious.jpg
zsteg suspicious.png
steghide info suspicious.jpg
2) Filesystem and process behavior signals
- Odd read/write patterns: carriers altered only at odd times, or by processes that normally wouldn't modify media files (e.g., a service account process editing images).
- Persistence via stego: hidden payload extracted at runtime and executed — watch for processes spawning from unexpected parent processes after file reads.
- Memory-resident artifacts: extracted payloads in process memory, or de-obfuscated strings that reference C2 domains.
Use EDR: instrument file open/read syscalls, parent-child process trees, and memory dumps of suspicious processes.
3) Network signals
- DNS tunneling and payload-in-DNS: long query names, high entropy labels, or suspicious base32/base64-looking tokens in subdomains.
- HTTP image uploads/downloads: repeated GET/POSTs of images with small differences; transfers at odd intervals.
- Timing/padding channels: regular micro-timing patterns or bursty transfers that align with beaconing windows.
Quick sniffing examples:
# suspicious DNS queries (pseudocode using tshark)
tshark -Y "dns.qry.name matches \"[A-Za-z0-9+/=]{30,}\"" -r capture.pcap
# capture repeated image downloads by filename pattern
tshark -Y "http.request.uri contains \"/images/\"" -r capture.pcap
Detection techniques and tools (practical)
| Technique | Signal type | Strengths | Weaknesses |
|---|---|---|---|
| Statistical/Lossless entropy analysis | File | Good for encrypted payloads | False positives on compressed files |
| Structural/transform analysis (DCT/FFT) | Images/audio | Targets LSB and frequency domain stego | Needs tuning per format |
| Metadata & timeline correlation | Filesystem | High fidelity for user/host mismatches | Requires rich telemetry |
| Behavioral correlation (EDR + network) | Host+Network | Catches runtime extraction and C2 | Depends on sensor coverage |
| ML/anomaly detection | Any | Can find subtle patterns at scale | High false positive churn, adversary evasion |
Recommended tools: zsteg, Stegdetect/Stegsolve, binwalk, exiftool, bulk_extractor, YARA, Zeek (for network), Bro/Suricata rules, and your EDR's hunting queries.
Example analytic rules (starter recipes)
YARA-like idea (concept): flag PNGs with abnormal entropy in the IDAT chunk.
Sigma/Suricata-style hunting ideas:
- Alert on processes that read image/doc files then spawn a shell or create a memory-mapped executable.
- Alert on DNS queries with label entropy > 4.5 bits per character and length > 50.
Example Sigma pseudo-rule:
title: Image file read followed by shell spawn
detection:
selection1:
ImageFileRead: true
selection2:
ProcessChildName: ["cmd.exe","powershell.exe","bash"]
condition: selection1 and selection2 within 10s
False positives and adversary tricks — be realistic
- Cameras, modern encoders, and legitimate compression often produce high entropy. Don't ban all high-entropy files; correlate.
- Attackers can use cover traffic, mimic normal upload patterns, or use multi-stage embedding to reduce signals.
- ML detectors can be fooled by adversarial examples; rely on human-in-the-loop reviews and layered detection.
Ask: does the file's lifecycle, user, and context match expected behavior? If not, escalate.
Incident playbook (short)
- Triage: collect the carrier file(s), network captures, host timelines, and process memory dumps.
- Static checks: exiftool, entropy scan, binwalk, and steg tools (zsteg, steghide). Document hashes.
- Memory analysis: search for extracted payloads, suspicious PE/ELF headers, or deobfuscated strings.
- Network correlate: Zeek/Suricata logs for hosting domains, DNS tokens, periodic GET/POSTs.
- Containment & hunt: quarantine affected hosts, hunt for other carriers across EDR telemetry.
- Remediation: rotate credentials, patch persistence vectors, and expand detection rules.
Closing — practical takeaways (so you can sleep at night)
- Baseline everything: good detection starts with knowing "normal": file types, sizes, modification patterns, and typical DNS/HTTP behaviors.
- Correlate layers: a suspicious file alone is noise; a suspicious file + odd process + beaconing network flow is noise that screams.
- Instrument for memory: many stego payloads get extracted to RAM. Memory analytics is your best friend.
- Hunt with intent: craft hypotheses (e.g., "Is anyone using images as C2?"), gather evidence, and iterate.
Final thought: Steganography is creative — defenders must be more creative and more data-hungry. Don't play whack-a-mole with files; play chess with telemetry.
Version notes: This lesson builds directly on prior modules about steganography use cases and EDR-aware tradecraft. Use it to author detection rules, escalate suspicious events, and design hunting queries for your environment.
Comments (0)
Please sign in to leave a comment.
No comments yet. Be the first to comment!