New Linux Auditd Rules - Steghide Steganography

rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml

@@ -0,0 +1,33 @@
+title: Steganography Hide Files with Steghide
+id: ce446a9e-30b9-4483-8e38-d2c9ad0a2280
+description: Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
+author: 'Pawel Mazur'
+status: experimental
+date: 2021/09/11
+references:
+   - https://attack.mitre.org/techniques/T1027/003/
+   - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
+tags:
+   - attack.defense_evasion
+   - attack.t1027.003
+falsepositives:
+   - None
+level: low
+logsource:
+   product: linux
+   service: auditd
+detection:
+   type: 
+       type: EXECVE
+   commands:
+       a0: steghide
+       a1: embed
+   a2:
+       a2:
+         - '-cf'
+         - '-ef'
+   a4:
+       a4:
+         - '-cf'
+         - '-ef'
+   condition: type and commands and a2 and a4

rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml

@@ -0,0 +1,31 @@
+title: Steganography Extract Files with Steghide
+id: a5a827d9-1bbe-4952-9293-c59d897eb41b
+description: Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
+author: 'Pawel Mazur'
+status: experimental
+date: 2021/09/11
+references:
+   - https://attack.mitre.org/techniques/T1027/003/
+   - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
+tags:
+   - attack.defense_evasion
+   - attack.t1027.003
+falsepositives:
+   - None
+level: low
+logsource:
+   product: linux
+   service: auditd
+detection:
+   type: 
+       type: EXECVE
+   commands:
+       a0: steghide
+       a1: extract
+   a2:
+       a2: '-sf'
+   a3:
+       a3|endswith:
+         - '.jpg'
+         - '.png'
+   condition: type and commands and a2 and a3