Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0235: Detecting Steganographic Command and Control via File + Network Correlation

DET0235 is a detection strategy concept for finding steganographic command-and-control by correlating file activity with network activity. The business val...

EnterpriseDET0235Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0235 is a detection strategy concept for finding steganographic command-and-control by correlating file activity with network activity. The business value is that this behavior can make malicious C2 look like ordinary file transfer or web traffic, so single-control views may miss it. Leaders should treat this as a coverage-validation question: can the organization connect suspicious files, endpoints, and outbound communications quickly enough to support containment decisions?

Executive priority

Prioritize this where command-and-control resilience matters: endpoint-to-network visibility, SOC correlation, and incident response evidence preservation. Because the related ATT&CK technique is Steganography under command-and-control and applies to Linux, macOS, Windows, and ESXi, executives should ask whether monitoring coverage includes critical servers, virtualization infrastructure, and user endpoints, not just perimeter network logs. This is also relevant to audit and compliance evidence because investigators may need to prove what files moved, which systems communicated externally, and when those events intersected.

Technical view

The supplied ATT&CK object has no official description, detection logic, platforms, or tactics of its own, but it is explicitly related as detecting T1001.002 Steganography. SOC and detection teams should validate correlation across file telemetry and network telemetry rather than relying on either alone. Useful validation questions include: are newly created, modified, downloaded, or opened image/document-like files visible on endpoints; are outbound connections, DNS, proxy, or flow records retained with endpoint/user context; and can the SIEM or detection pipeline join file events to network sessions by host, user, process, and time window? For IR, preserve both endpoint artifacts and network records because the hidden C2 content may not be obvious from file type or connection metadata alone.

Likely telemetry

  • Endpoint file creation, modification, access, and deletion events
  • Process execution and process-to-network connection events where available
  • Proxy, web gateway, firewall, DNS, and network flow logs
  • File transfer, download, and upload records from email, web, collaboration, or storage services where available
  • Host identity, user identity, asset role, and timestamp normalization needed for correlation

Detection direction

  • Validate correlation coverage between file events and outbound network activity for systems in scope of the related technique: Linux, macOS, Windows, and ESXi.
  • Look for unusual pairings of file handling and external communications, especially where benign-looking image or document files coincide with repeated or anomalous outbound activity.
  • Tune detections with asset role, user behavior, destination reputation, file source, and process context to reduce false positives from normal media handling, document workflows, backups, and content management systems.
  • Confirm retention and timestamp consistency; this strategy depends on joining evidence across telemetry sources, so clock drift, short log retention, or missing endpoint context can create blind spots.
  • Because ATT&CK provides no official detection text for this object, treat any rule content as locally engineered and test it against the organization’s actual file-transfer and network baselines.

Mitigation priorities

  • First, ensure endpoint and network telemetry collection is broad enough to support file-plus-network correlation on high-value assets and user endpoints.
  • Second, enforce logging quality: consistent host identifiers, user context, synchronized time, and sufficient retention for incident reconstruction.
  • Third, apply egress governance and monitoring so unusual outbound communications from endpoints and infrastructure can be investigated quickly.
  • Fourth, integrate SOC triage and IR playbooks so suspicious file artifacts and associated network sessions are preserved together.
  • Finally, review exceptions and blind spots such as unmanaged hosts, encrypted traffic visibility limits, ESXi monitoring gaps, and systems outside centralized logging.
Analyst notes and limits

This take is based on the ATT&CK detection strategy object DET0235 and its relationship to T1001.002 Steganography. The object name implies file and network correlation, while the related technique describes hiding C2 data in transferred digital messages, including files such as images or documents. Defensive value comes from validating correlation and evidence readiness, not from assuming a specific tool, signature, adversary, or active campaign.

The supplied object does not include an official description, official detection text, tactics, or platforms. Platforms and tactic context are inferred only from the related ATT&CK technique T1001.002. Local environment baselines, logging architecture, and approved business workflows are required before creating reliable detection thresholds or determining coverage.

Official MITRE ATT&CK definition

Detecting Steganographic Command and Control via File + Network Correlation

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1001.002 Steganography Sub-technique This object detects Steganography.
Relationship explorer

All related ATT&CK context

detects · Technique T1001.002: Steganography Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2b81462c4dcd29f6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2b81462c4dcd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0235
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use