Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0652: Analytic 0652

Unusual use of steganographic or media processing binaries (e.g., `steghide`, `ffmpeg`, `imagemagick`) followed by outbound communication to external IPs with high data output and media MIME types.

EnterpriseAN0652AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is a Linux-focused detection idea for spotting suspicious combinations of media or steganography tooling, such as steghide, ffmpeg, or ImageMagick, followed by outbound connections that move unusually large amounts of media-type data to external IP addresses. For leaders, the value is not the tool names alone; these utilities can be legitimate. The business risk is whether the organization can distinguish normal media-processing activity from behavior that may indicate hidden data handling or unusual outbound transfer patterns.

Executive priority

Prioritize this as a validation item where Linux systems process media files, handle sensitive data, or have outbound internet access. Executives and security leaders should ask whether SOC teams can correlate process execution with network egress volume and MIME-type context, because isolated endpoint or network logging may miss the pattern. This is also useful for incident readiness and compliance evidence: teams should be able to show whether high-volume external transfers from Linux hosts are monitored, explain legitimate business exceptions, and escalate unusual media-processing-to-egress sequences for review.

Technical view

SOC and detection engineering teams should validate whether Linux endpoint telemetry captures execution of steganographic or media-processing binaries and whether network telemetry can identify outbound communication to external IPs, data volume, and media MIME types. The analytic depends on correlation: use of tools like steghide, ffmpeg, or ImageMagick is not inherently suspicious, and outbound media transfer is not inherently malicious. The higher-value signal is the sequence of unusual binary use followed by high data output to external destinations with media MIME types. No ATT&CK tactics or relationships were supplied, so this should be treated as a behavior-specific analytic rather than mapped to a broader intrusion phase based on the provided object alone.

Likely telemetry

  • Linux process execution events including binary name, command path, user, host, timestamp, and parent process where available
  • Network connection or flow logs showing external destination IPs, bytes sent, and timing
  • Proxy, gateway, or egress inspection logs that record MIME type or content-type metadata for outbound transfers
  • Asset and workload context identifying Linux hosts where media-processing utilities are expected or unusual
  • Allowlist or baseline data for approved media-processing workflows and known external destinations

Detection direction

  • Correlate Linux execution of steganographic or media-processing binaries with subsequent outbound connections from the same host and user/session within a defensible time window.
  • Tune against known-good media pipelines, developer workflows, content processing systems, and administrative image/video conversion tasks to reduce false positives.
  • Give higher priority to events with high outbound byte counts, external IP destinations, and media MIME types when these are unusual for the host or business function.
  • Validate that MIME-type and byte-count fields are actually available in the organization’s network telemetry; without them, the analytic may degrade to weak process-name matching.
  • Review whether renamed binaries, alternate install paths, containers, or ephemeral Linux workloads create blind spots in process and egress visibility.

Mitigation priorities

  • Establish or review approved use cases for steganographic and media-processing utilities on Linux systems, especially on servers with sensitive data or broad outbound access.
  • Limit outbound connectivity from Linux hosts to business-required destinations where feasible, and monitor exceptions for high-volume transfers.
  • Maintain endpoint and network logging needed to correlate process execution with egress activity, including timestamps precise enough for sequence-based detection.
  • Use asset context to separate expected media-processing systems from hosts where these binaries are uncommon or unauthorized.
  • Document detection assumptions and exceptions so SOC triage, incident response, and audit evidence do not rely on undocumented institutional knowledge.
Analyst notes and limits

The supplied object is a detection analytic, AN0652, for Linux. Its official description provides the behavioral pattern, example binaries, outbound external IP communication, high data output, and media MIME-type context. No official detection text, tactics, aliases, labels, or relationship context were supplied, so the take focuses on operationalizing the described analytic rather than inferring technique mapping or adversary behavior.

This assessment is limited to the supplied ATT&CK/STIX fields and external reference. It does not establish active exploitation, attribution, impact, or guaranteed detection coverage. Local baselines are required to determine what is unusual, which Linux systems legitimately use these binaries, and whether required endpoint, network, and MIME-type telemetry is collected.

Official MITRE ATT&CK definition

Analytic 0652

Unusual use of steganographic or media processing binaries (e.g., `steghide`, `ffmpeg`, `imagemagick`) followed by outbound communication to external IPs with high data output and media MIME types.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
03d914877f9d6360...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 03d914877f9d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0652
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use