Invoke-Expression
Execute arbitrary strings as PowerShell commands. The most direct code execution primitive — equivalent to eval().
Binary Paths
PowerShell cmdlet
Glob Patterns
| Pattern | Wildcards | Notes |
|---|---|---|
& (gcm I*ke-E*) 'Get-Process'
|
* | Wildcards in both verb and noun |
& (gal i?x) 'whoami'
|
? | Get-Alias (gal) with wildcard — 'iex' is the alias for Invoke-Expression |
& (gal ?ex) 'whoami'
|
? | Wildcard prefix on 'iex' alias — uniquely matches iex |
iex 'whoami'
|
Direct alias use — not a glob but the canonical short form | |
& (gcm *xpression) 'payload'
|
* | Wildcard prefix matches 'Invoke-E' |
& (gcm Invoke-Ex*) 'payload'
|
* | Wildcard suffix matches 'pression' |
& (Get-Alias i?x) 'payload'
|
? | Full Get-Alias with wildcard |
& (gcm Invok[d-f]-Expression) 'payload'
|
[d-f] | Character range matches 'e' in Invoke |
& (DIR Alias:/I*X) 'payload'
|
* | Resolves IEX alias via PowerShell's Alias: PSDrive glob — filesystem-style wildcard on the Alias provider |
Platform Notes
iex is a built-in alias. Invoke-Expression is one of the most monitored cmdlets. Wildcards on the cmdlet name via gcm or gal can bypass signature-based detections. Also works with base64: iex ([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('...'))).