FortiSandbox Alert Details
Alert ID: FORTI-STEGO-1027-7842 Alert Time: 2024-03-08 10:30:22 EST Severity: HIGH (88/100) Source: Fortinet FortiSandbox Rule: “Steganography Detected – Hidden Payload in Image” MITRE ATT&CK: T1027.003 – Obfuscated Files or Information: Steganography
Alert Details:
File Analysis Report:
File Name: conference_photo.jpg
File Size: 2.3 MB
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Source: Email attachment to marketing@company.com
Submission Time: 10:15 EST
Steganography Analysis:
File appears to be a normal JPG image (conference photo)
LSB (Least Significant Bit) analysis revealed hidden data
Hidden data extracted: 256 KB executable (payload.exe)
Extraction method: LSB steganography (1 bit per pixel)
Extracted Payload:
File: payload.exe
SHA256: b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1
Type: Cobalt Strike loader
Image Analysis:
Original image: legitimate conference photo from public source
Hidden data embedded in pixels (imperceptible to human eye)
MD5 of image before embedding: 7a8b9c0d…
MD5 after embedding: a1b2c3d4… (different, but looks identical)
Detection Logic:
Statistical analysis showed anomalous LSB patterns
Hidden executable detected
Image entropy higher than normal JPG
Pattern matches steganography for malware delivery
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify FortiSandbox analysis
FortiSandbox Console
Confirmed steganography in image
2. Email Investigation
Find source email
Proofpoint, Exchange
Email to marketing@company.com from “conference@event.org”
3. Quarantine Email
Block and remove email
Proofpoint
Email quarantined from all mailboxes
4. User Check
Verify if user opened image
CrowdStrike
User did not open attachment (alert before execution)
5. IOC Distribution
Block C2 IP and hashes
Palo Alto, Cisco Umbrella
185.143.221[.]89 blocked; hashes added
6. Threat Hunting
Check for similar images
FortiSandbox, Splunk
No other occurrences found
Jira Incident Report
Ticket: SOC-2024-190 Summary: T1027.003 – Steganography: Malware Hidden in Conference Photo Status: RESOLVED Resolution: MALICIOUS – Blocked Before Execution Priority: P2 – MEDIUM Labels: T1027, steganography, image-hidden, fortisandbox, phishing Components: Email-Security, Malware-Analysis
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Fortinet FortiSandbox.
Alert: “Steganography Detected – Hidden Payload in Image”.
File: conference_photo.jpg (email attachment).
Target: Marketing Department.
Time: 2024-03-08 10:30 EST.
Technique: MITRE ATT&CK T1027.003 – Obfuscated Files or Information: Steganography.
2. Technical Analysis:
Attack Chain:
10:10 – Email sent from “conference@event.org”
10:11 – Email delivered to marketing@company.com
10:12 – FortiSandbox analyzes attachment (inline)
10:15 – Analysis begins
10:20 – Steganography detected
10:25 – Hidden payload extracted
10:30 – Alert triggers
10:31 – Email quarantined
Steganography Details:
Method: LSB (Least Significant Bit) encoding
Cover Image: Legitimate conference photo (public source)
Hidden Data: 256 KB executable (payload.exe)
Extraction: 1 bit per pixel, 2.3 MB image yields ~256 KB hidden data
Hidden Payload:
File: payload.exe
SHA256: b2c3d4e5…
Type: Cobalt Strike loader
C2: 185.143.221[.]89:443
Email Details:
Sender: conference@event.org (spoofed)
Subject: “Photos from Industry Conference 2024”
Attachment: conference_photo.jpg
3. Investigation Findings:
Timeline:
10:10 – Email sent
10:11 – Email delivered
10:12-10:30 – FortiSandbox analysis
10:30 – Alert triggers
10:31 – Email quarantined
10:32 – SOC investigates
10:35 – User confirmed (no execution)
Indicators of Compromise (IoCs):
File:
– conference_photo.jpg (SHA256: a1b2c3d4…)
– payload.exe (extracted, SHA256: b2c3d4e5…)
Network:
– C2: 185.143.221[.]89:443
Email:
– Sender: conference@event.org
– Subject: “Photos from Industry Conference 2024”
4. Containment Actions:
Immediate Actions:
Quarantined email from all mailboxes.
Blocked C2 IP at firewall and proxy.
Added file hashes to blocklists.
User Notification:
Marketing team alerted to campaign.
No user action needed (email not opened).
Email Rule Update:
Enhanced filtering for image attachments.
Added steganography detection to email gateway.
5. Root Cause Analysis:
Primary Cause: External attacker using steganography to hide malware in image.
Contributing Factors:
Image attachments allowed (now scrutinized).
No user execution (prevented by sandbox).
6. Business Impact:
Operational Impact: None.
Data Exposure: None (email not opened).
7. Remediation & Prevention:
Completed Actions:
Email quarantined.
IOCs blocked.
Users notified.
Technical Controls Enhanced:
Enhanced FortiSandbox steganography detection.
Created alert for images with embedded data.
Added LSB analysis to email security.
8. Conclusion:
An attacker used steganography to hide a Cobalt Strike loader inside a seemingly innocent conference photo. FortiSandbox detected the hidden payload and enabled blocking before any user could open the image.
Closure Rationale: Malware blocked; IOCs added; email policy enhanced.
Analyst: [Your Name], SOC Analyst Date: 2024-03-08 11:30 EST
End of Batch 30
Ready for your next batch of prompts whenever you are.
Batch 31: Defense Evasion & Masquerading Incident Reports
Here are the next 5 detailed SOC incident reports.