In the previous tip we explained how Invoke-WebRequest can be used to download the raw HTML content for any web page. This can also be used to transport PowerShell code. Invoke-WebRequest downloads anything a web server serves, so the below example downloads a PowerShell script:

$url = "http://bit.ly/e0Mw9w"
$page = Invoke-WebRequest -Uri $url
$code = $page.Content
$code | Out-GridView

Once you are confident with the code, you could easily try and run it:

Invoke-Expression -Command $code

This works well in the PowerShell console, and you see a “dancing Rick Ascii” and listen to fun music. However, if you run the above code in a different editor, your AV engine might block the call and identify it as a serious threat. This is because the downloaded code checks the environment it runs in, and since it requires a console, it launches a PowerShell console if it is run from anywhere else. This launch is picked up by the AV engine, and subsequently blocked.

Twitter This Tip! ReTweet this Tip!

Anonymous