Adversaries may use JPEG files to hide malicious data, leveraging the format’s ability to embed payloads within image metadata. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or persistence mechanisms that evade traditional detection methods.
YARA Rule
rule hide_data_in_jpeg {
strings: $ = /file_put_contents\(\$.{2,3},'JPEG-1\.1'\.base64_encode/
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using JPEGsift to analyze JPEG files for metadata extraction as part of a digital asset management workflow.
Filter/Exclusion: Exclude files with the magic.mime type image/jpeg and where the file path contains /assets/ or /media/.
Scenario: A scheduled job runs ExifTool to batch process JPEG files and remove sensitive metadata during a data sanitization task.
Filter/Exclusion: Exclude files where the exiftool command is used with the -All= -AllThreads= -TagsFromFile options, or where the file path includes /temp/ or /sanitized/.
Scenario: An IT department uses 7-Zip to compress a folder containing JPEG files as part of a backup process.
Filter/Exclusion: Exclude files where the parent directory contains /backup/ or /archive/, and where the file is part of a ZIP archive.
Scenario: A developer is using ImageMagick to convert JPEG images to PNG format for a web application.
Filter/Exclusion: Exclude files where the command line includes convert and the output format is PNG, or where the file path contains /dev/ or /build/.
Scenario: A user uploads a JPEG file to a cloud storage service like AWS S3 as part of a document sharing process.
Filter/Exclusion: Exclude files where the upload path includes /uploads/ or /shared/, and where the file has a .jpg or .jpeg extension.