Adversaries may use steganographic images to exfiltrate data covertly while simultaneously accessing webmail to maintain command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration and C2 activities that evade traditional detection methods.
KQL Query
let stegProcesses= view() {
let stegnames = pack_array ("camouflage","crypture", "hidensend", "openpuff","picsel","slienteye","steg","xiao");
let ProcessQuery = view()
{
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has_any (stegnames)
};
let FileQuery = view(){
DeviceFileEvents
| where FileName has_any (stegnames)
};
union ProcessQuery, FileQuery
| project StegProcessTimestamp=Timestamp, DeviceName, InitiatingProcessAccountName, FileName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine};
let WebMailUsage=view(){
// This query finds network communication to specific webmail URL
let webmailURLs = pack_array ("mail.google.com", "mail.yahoo.com", "mail.protonmail.com"); // Change or append additional webmail URLs
DeviceNetworkEvents
| where Timestamp > ago(30d)
and RemoteUrl contains webmailURLs};
WebMailUsage
| join stegProcesses on DeviceName
| where (Timestamp - StegProcessTimestamp) between (0min..30min)
|project StegProcessTimestamp,Timestamp,RemoteUrl,DeviceName,InitiatingProcessAccountName,FileName
id: e0003bf6-b5f2-4dd1-a130-8651eb0b9f04
name: detect-steganography-exfiltration
description: |
This query can be used to detect instances of malicious users who attempt to create steganographic images and then immediately browse to a webmail URL. This query would require additional investigation to determine whether the co-occurrance of generating a steganographic image and browsing to a webmail URL is an indication of a malicious event.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- DeviceFileEvents
- DeviceNetworkEvents
tactics:
- Exfiltration
query: |
let stegProcesses= view() {
let stegnames = pack_array ("camouflage","crypture", "hidensend", "openpuff","picsel","slienteye","steg","xiao");
let ProcessQuery = view()
{
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has_any (stegnames)
};
let FileQuery = view(){
DeviceFileEvents
| where FileName has_any (stegnames)
};
union ProcessQuery, FileQuery
| project StegProcessTimestamp=Timestamp, DeviceName, InitiatingProcessAccountName, FileName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine};
let WebMailUsage=view(){
// This query finds network communication to specific webmail URL
let webmailURLs = pack_array ("mail.google.com", "mail.yahoo.com", "mail.protonmail.com"); // Change or append additional webmail URLs
DeviceNetworkEvents
| where Timestamp > ago(30d)
and RemoteUrl contains webmailURLs};
WebMailUsage
| join stegProcesses on DeviceName
| where (Timestamp - StegProcessTimestamp) between (0min..30min)
|project StegProcessTimestamp,Timestamp,RemoteUrl,DeviceName,InitiatingProcessAccountName,FileName
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate image processing with webmail follow-up
Description: A user uses a tool like GIMP or Photoshop to edit an image as part of a normal workflow, then opens a webmail URL (e.g., https://mail.example.com) to check email.
Filter/Exclusion: Exclude users who have a history of using image editing tools and are part of the marketing or design team. Use a filter like:
user.email IN ("[email protected]", "[email protected]")Scenario: Scheduled job for image generation and email notification
Description: A scheduled job runs using Python Imaging Library (PIL) or ImageMagick to generate an image, then sends a notification via a webmail service (e.g., https://mail.example.com).
Filter/Exclusion: Exclude processes initiated by scheduled jobs using a known job ID or script path. Example filter:
process.name IN ("python", "image_magick") AND process.command_line LIKE "%scheduled_job_id%"Scenario: Admin task involving image upload and email confirmation
Description: An IT admin uploads an image to a server using FTP or SFTP, then browses to a webmail URL to confirm the upload.
Filter/Exclusion: Exclude users with admin privileges or roles like “IT Admin” using a group filter:
user.group IN ("IT Admin", "System Admin")Scenario: User-generated image for internal collaboration
Description: A user creates an image using Canva or Adobe Spark for an internal collaboration tool, then opens a webmail URL to check for feedback.
Filter/Exclusion: Exclude users who use