> For the complete documentation index, see [llms.txt](https://dmcxblue.gitbook.io/red-team-notes-2-0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t0127-obfuscated-files-or-information/steganography.md).

# Steganography

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.

Duqu was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.

By the end of 2017, a threat group used Invoke-PSImage to hide PowerShell commands in an image file (.png) and execute code on a victims system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.

**Example**

Will use the Invoke-PSImage sample where we will simply attach a PS1 Script (PowerUp) and have it check for privilege escalation methods.

![](/files/-MRhsc4ewpoDEklsgHd5)

Something important to remember is that the image has to be Larger than the PS1 Payload Script

![](/files/-MRhscpRkzo0JQVYXRs4)

Once the script is done it will output the one-liner that is needed to execute the payload inside the Image

![](/files/-MRhsdXmqT00Vd67XDIt)

And a Successful Shell

![](/files/-MRhsebY0qQLJz2gQjMG)

Of Course there are various methods of Steganography and it doesn't only stop with images these can range from Music Files to Videos as well.
