Skip to content

S0231 Invoke-PSImage

Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. 1

Item Value
ID S0231
Type TOOL
Version 1.0
Created 18 April 2018
Last Modified 17 October 2018
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1027 Obfuscated Files or Information Invoke-PSImage can be used to embed a PowerShell script within the pixels of a PNG file.1

Groups That Use This Software

ID Name References
G0034 Sandworm Team 2

References

Back to top