Invoke-Expression
Execute arbitrary strings as PowerShell commands. The most direct code execution primitive — equivalent to eval().
Binary Paths
PowerShell cmdlet
Glob Patterns
| Pattern | Notes |
|---|---|
& (gcm I*ke-E*) 'Get-Process'
|
Wildcards in both verb and noun |
& (gal i?x) 'whoami'
|
Get-Alias (gal) with wildcard — 'iex' is the alias for Invoke-Expression |
& (gal ?ex) 'whoami'
|
Wildcard prefix on 'iex' alias — uniquely matches iex |
iex 'whoami'
|
Direct alias use — not a glob but the canonical short form |
& (gcm *xpression) 'payload'
|
Wildcard prefix matches 'Invoke-E' |
& (gcm Invoke-Ex*) 'payload'
|
Wildcard suffix matches 'pression' |
& (Get-Alias i?x) 'payload'
|
Full Get-Alias with wildcard |
& (gcm Invok[d-f]-Expression) 'payload'
|
Character range matches 'e' in Invoke |
& (DIR Alias:/I*X) 'payload'
|
Resolves IEX alias via PowerShell's Alias: PSDrive glob — filesystem-style wildcard on the Alias provider |
& (gcm ('{0}voke-{1}' -f 'In','Expression')) 'payload'
|
-f format operator constructs the cmdlet name string from fragments before gcm resolves it |
& (gcm * | ? Name -match '^Inv.*Expr') 'payload'
|
Regex -match filter on all commands via Where-Object pipeline — regex alternative to glob wildcards |
& (Get-Command -Verb Inv* -Noun *Expression) 'payload'
|
Get-Command -Verb/-Noun structured split — wildcards on verb and noun independently, narrowing match to Invoke-Expression |
& ($ExecutionContext.InvokeCommand.GetCommand('I*-Expression','Cmdlet')) 'payload'
|
Engine-level cmdlet resolution via InvokeCommand.GetCommand — bypasses Get-Command entirely; I*-Expression resolves to Invoke-Expression |
& (gcm ('Inv'+'oke-Ex'+'pression')) 'payload'
|
String concatenation builds the cmdlet name from three fragments — full name never appears contiguous in source |
$c = gcm *-Expr*; & $c 'whoami'
|
Variable-based invocation — glob resolves to Invoke-Expression at assignment time; & invokes the stored CommandInfo object |
& (gcm `I`n`v`o`k`e-Expression) 'payload'
|
Backtick character insertion — PowerShell ignores backticks before most characters, so the name resolves normally but string-matching signatures miss it |
& (gcm Microsoft.PowerShell.Utility\Inv*-Expr*) 'payload'
|
Module-qualified wildcard — specifying the module namespace forces resolution within Microsoft.PowerShell.Utility while still using glob patterns |
Pattern Tester
$
Try typing Invoke-Expression or a full path like PowerShell cmdlet
YARA Rule
Auto-generated detection rule for Invoke-Expression
Platform Notes
iex is a built-in alias. Invoke-Expression is one of the most monitored cmdlets. Wildcards on the cmdlet name via gcm or gal can bypass signature-based detections. Also works with base64: iex ([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('...'))).