Invoke-Command
Run commands on local or remote computers. Enables lateral movement via PowerShell remoting (WinRM).
Binary Paths
PowerShell cmdlet
Glob Patterns
| Pattern | Notes |
|---|---|
& (gcm I*-C*d) -ComputerName TARGET -ScriptBlock { whoami }
|
Wildcards in verb and noun |
& (gcm Invoke-Com*) -ComputerName ...
|
Star matches 'mand' |
& (gcm I*ke-Command) -ComputerName ...
|
Wildcard in verb |
& (gcm *-Command) -ComputerName ...
|
Prefix wildcard |
icm -ComputerName TARGET -ScriptBlock { id }
|
Built-in alias 'icm' |
& (gcm Invok[d-f]-Command) -ComputerName ...
|
Character range matches 'e' in Invoke |
& (gal ic?) -ComputerName TARGET -ScriptBlock { id }
|
Get-Alias with wildcard resolves 'icm' |
& (DIR Alias:/ic?) -ComputerName TARGET -ScriptBlock { whoami }
|
Resolves icm alias via PowerShell's Alias: PSDrive glob — ic? matches icm (Invoke-Command) |
& (gcm ('{0}voke-{1}' -f 'In','Command')) -ComputerName TARGET -ScriptBlock { whoami }
|
-f format operator constructs 'Invoke-Command' from string fragments before gcm resolves it |
& (Get-Command -Verb Inv* -Noun *Command) -ComputerName TARGET -ScriptBlock { whoami }
|
Get-Command -Verb/-Noun structured split — wildcards on verb and noun independently narrow the match to Invoke-Command |
& (gcm `I`n`v`o`k`e-Command) -ComputerName TARGET -ScriptBlock { whoami }
|
Backtick character insertion — PowerShell ignores backticks before most characters, so the name resolves normally but string-matching signatures miss it |
Pattern Tester
$
Try typing Invoke-Command or a full path like PowerShell cmdlet
YARA Rule
Auto-generated detection rule for Invoke-Command