Potential PowerShell Obfuscation Using Alias Cmdlets

Aug 12, 2024 · attack.defense-evasion attack.execution attack.t1027 attack.t1059.001 ·

Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts

Sigma rule (View on GitHub)

 1title: Potential PowerShell Obfuscation Using Alias Cmdlets
 2id: 96cd126d-f970-49c4-848a-da3a09f55c55
 3related:
 4    - id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
 5      type: derived
 6status: test
 7description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
 8references:
 9    - https://github.com/1337Rin/Swag-PSO
10author: frack113
11date: 2023-01-08
12tags:
13    - attack.defense-evasion
14    - attack.execution
15    - attack.t1027
16    - attack.t1059.001
17logsource:
18    product: windows
19    category: ps_script
20    definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22    selection:
23        ScriptBlockText|contains:
24            - 'Set-Alias '
25            - 'New-Alias '
26    condition: selection
27falsepositives:
28    - Unknown
29level: low

References

https://github.com/1337Rin/Swag-PSO

Read More

Potential PowerShell Obfuscation Using Alias Cmdlets

Sigma rule (View on GitHub)

References

https://github.com/1337Rin/Swag-PSO

Related rules