# Steganography Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files. Duqu was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server. By the end of 2017, a threat group used Invoke-PSImage to hide PowerShell commands in an image file (.png) and execute code on a victims system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. **Example** Will use the Invoke-PSImage sample where we will simply attach a PS1 Script (PowerUp) and have it check for privilege escalation methods. ![](/files/-MRhsc4ewpoDEklsgHd5) Something important to remember is that the image has to be Larger than the PS1 Payload Script ![](/files/-MRhscpRkzo0JQVYXRs4) Once the script is done it will output the one-liner that is needed to execute the payload inside the Image ![](/files/-MRhsdXmqT00Vd67XDIt) And a Successful Shell ![](/files/-MRhsebY0qQLJz2gQjMG) Of Course there are various methods of Steganography and it doesn't only stop with images these can range from Music Files to Videos as well. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t0127-obfuscated-files-or-information/steganography.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.