In the previous tip we explained how Invoke-WebRequest can be used to download the raw HTML content for any web page. This can also be used to transport PowerShell code. Invoke-WebRequest downloads anything a web server serves, so the below example downloads a PowerShell script:
$url = "http://bit.ly/e0Mw9w" $page = Invoke-WebRequest -Uri $url $code = $page.Content $code | Out-GridView
Once you are confident with the code, you could easily try and run it:
Invoke-Expression -Command $code
This works well in the PowerShell console, and you see a “dancing Rick Ascii” and listen to fun music. However, if you run the above code in a different editor, your AV engine might block the call and identify it as a serious threat. This is because the downloaded code checks the environment it runs in, and since it requires a console, it launches a PowerShell console if it is run from anywhere else. This launch is picked up by the AV engine, and subsequently blocked.