216.73.216.233

Invoke-PSImage

The MITRE Corporation · Published 18/04/2018 19:59 · Modified 27/03/2026 01:07

Essential information

Confidence
100/100
Published
18/04/2018 19:59
Modified
27/03/2026 01:07
Revoked
No
Author / Source
The MITRE Corporation
Related entities
2 attack patterns (mitre), 1 intrusion sets (apt)

Description

[Invoke-PSImage](https://attack.mitre.org/software/S0231) takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. (Citation: GitHub Invoke-PSImage)

Marking (TLP)

Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Attack patterns, malware, vulnerabilities, indicators, intrusion sets, tools and other entities linked to this tool.