Start-Process

PowerShell execution T1059.001

Start one or more processes. Can launch executables with specific arguments, working directories, and window styles.

Binary Paths

  • PowerShell cmdlet

Glob Patterns

Pattern Notes
& (gcm S*a*-P*ess) -FilePath cmd.exe
Wildcards in verb and noun
& (gcm Start-Pro*) -FilePath ...
Star matches 'cess'
& (gcm S?art-Process) -FilePath ...
Single char wildcard replaces 't'
& (gcm S[s-u]art-Process) -FilePath ...
Character range matches 't' in Start
& (gcm *-Process) -FilePath ...
Prefix wildcard
saps -FilePath cmd.exe
Built-in alias 'saps' for Start-Process
start cmd.exe
Alias 'start' for Start-Process
& (gal sa?s) cmd.exe
Get-Alias with wildcard resolves 'saps' — sa?s avoids matching 'spps' (Stop-Process)
& (gcm *rocess) cmd.exe
Short suffix pattern
& (gcm Start-Pro*) (Resolve-Path C:\Win*\Sys*32\cmd.exe)
Double glob — gcm wildcard resolves Start-Process AND Resolve-Path filesystem glob resolves the binary path to cmd.exe
& (DIR Alias:/sa?s) cmd.exe
Resolves saps alias via PowerShell's Alias: PSDrive glob — sa?s matches saps (Start-Process)
& (gcm * | ? Name -match '^St.*Pro') -FilePath cmd.exe
Regex -match filter on all commands via Where-Object pipeline — regex alternative to glob wildcards
& (gcm ('{0}-{1}' -f 'Start','Process')) -FilePath cmd.exe
-f format operator constructs 'Start-Process' from string fragments before gcm resolves it
& (Get-Command -Verb Start* -Noun *Process) -FilePath cmd.exe
Get-Command -Verb/-Noun structured split — wildcards on verb and noun independently narrow the match to Start-Process
& ($ExecutionContext.InvokeCommand.GetCommand('Start-Pro*','Cmdlet')) -FilePath cmd.exe
Engine-level cmdlet resolution via InvokeCommand.GetCommand — bypasses Get-Command entirely; Start-Pro* resolves to Start-Process
& (gcm ('Start'+'-Pro'+'cess')) -FilePath cmd.exe
String concatenation builds the cmdlet name from three fragments — full name never appears contiguous in source
$c = gcm Start-Pro*; & $c -FilePath cmd.exe
Variable-based invocation — glob resolves to Start-Process at assignment time; & invokes the stored CommandInfo object

Pattern Tester

$

Try typing Start-Process or a full path like PowerShell cmdlet

YARA Rule

Auto-generated detection rule for Start-Process 

      

    


    

    
    

      
Resources

      
    

    

    

  


  

    
    
    
    
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
    

      
      
        ← Previous
        Set-Content
      
      

      Catalog

      
      
        Next →
        Test-Connection