Skip to content

S0231 Invoke-PSImage

Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. 1

Item Value
ID S0231
Associated Names
Type TOOL
Version 1.1
Created 18 April 2018
Last Modified 18 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.003 Steganography Invoke-PSImage can be used to embed a PowerShell script within the pixels of a PNG file.1
enterprise T1027.009 Embedded Payloads Invoke-PSImage can be used to embed payload data within a new image file.2

Groups That Use This Software

ID Name References
G0034 Sandworm Team 3

References

  1. Adams, B. (2017, December 17). Invoke-PSImage. Retrieved April 10, 2018. 

  2. Barrett Adams. (n.d.). Invoke-PSImage . Retrieved September 30, 2022. 

  3. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.