Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0119: Detection Strategy for Steganographic Abuse in File & Script Execution

DET0119 is a detection strategy object for identifying possible steganographic abuse during file and script execution. The business issue is that steganogr...

EnterpriseDET0119Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0119 is a detection strategy object for identifying possible steganographic abuse during file and script execution. The business issue is that steganography is designed to hide information inside otherwise ordinary-looking media or text files, which can weaken routine monitoring and slow incident decisions. For leaders, the value is not assuming that file execution controls alone are enough; teams should confirm whether they can see suspicious execution patterns, unusual file handling, and hidden-data indicators across Linux, macOS, and Windows environments where the related ATT&CK technique applies.

Executive priority

Treat this as a coverage-validation item for stealthy activity rather than a standalone control. Security leaders should ask whether SOC, IR, and compliance teams can produce evidence that execution telemetry, file inspection processes, and investigation playbooks account for hidden data in images, audio, video, or text files. Priority is highest where business processes allow frequent handling of media files, scripts, or externally supplied content, because those environments may create more noise and more opportunity for blind spots.

Technical view

This detection strategy is linked to ATT&CK T1027.003, Steganography, under the stealth tactic, with related platforms Linux, macOS, and Windows. Because the official detection-strategy object does not provide detection logic, teams should validate coverage around the behavior described by the related technique: hiding data in digital media or text files to avoid detection. SOC and detection engineering teams should review whether file and script execution events can be correlated with suspicious file reads/writes, unusual media or text file use, command-line context, process lineage, and subsequent network or exfiltration investigation leads where available.

Likely telemetry

  • Process execution telemetry, including command line and parent/child process relationships
  • Script execution logs where available
  • File creation, modification, access, and rename events for media and text files
  • Endpoint security alerts or file-inspection metadata related to unusual file content or embedded data
  • Network telemetry that may help investigate suspicious transfer of media or text files after execution

Detection direction

  • Validate that detections do not rely only on known file extensions or known malware names, because steganography may use ordinary-looking images, audio, video, or text files.
  • Tune around context: media-file access is often legitimate, so prioritize suspicious combinations such as unusual process lineage, script-driven file manipulation, abnormal file locations, or execution followed by file staging or transfer.
  • Confirm visibility across Linux, macOS, and Windows if those platforms are in scope, since the related technique lists all three.
  • Ensure analysts have a workflow for triaging suspicious files without assuming that a benign-looking media or text file is harmless.
  • Use relationship context carefully: DET0119 detects T1027.003, but the supplied ATT&CK fields do not include specific analytics, thresholds, data sources, or queries.

Mitigation priorities

  • Start with telemetry assurance: confirm endpoint, script, file, and network evidence is collected and retained for investigation.
  • Harden execution paths where practical by reducing unnecessary script execution and monitoring script interpreters that interact with media or text files.
  • Improve file-handling governance for externally sourced or high-risk content, including investigation procedures for suspicious media or text files.
  • Prepare IR playbooks for collecting suspected carrier files and preserving process/file/network context for analysis.
  • Use this as a control-evidence discussion for SOC readiness and compliance reporting, but do not represent it as proof of full steganography detection without local validation.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy named “Detection Strategy for Steganographic Abuse in File & Script Execution,” but it has no official description, no official detection text, no listed platforms, and no tactics of its own. The actionable context comes from its relationship to T1027.003 Steganography, which describes hiding information in digital media such as images, audio tracks, video clips, or text files.

This take is constrained to the supplied STIX fields, external reference, and relationship context. It does not assert active exploitation, adversary attribution, specific tooling, exact detection logic, or guaranteed coverage. Local environment details are required to determine realistic false positives, data availability, and operational priority.

Official MITRE ATT&CK definition

Detection Strategy for Steganographic Abuse in File & Script Execution

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1027.003 Steganography Sub-technique This object detects Steganography.
Relationship explorer

All related ATT&CK context

detects · Technique T1027.003: Steganography Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6c3d380e5357d5ba...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6c3d380e5357…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0119
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use