Potential PowerShell Obfuscation Using Alias Cmdlets

calendar Oct 23, 2025 · attack.defense-evasion attack.execution attack.t1027 attack.t1059.001  ·
Share on: linkedin copy

Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts

Sigma rule (View on GitHub)

 1title: Potential PowerShell Obfuscation Using Alias Cmdlets
 2id: 96cd126d-f970-49c4-848a-da3a09f55c55
 3related:
 4    - id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
 5      type: derived
 6status: test
 7description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
 8references:
 9    - https://github.com/1337Rin/Swag-PSO
10author: frack113
11date: 2023-01-08
12modified: 2025-10-22
13tags:
14    - attack.defense-evasion
15    - attack.execution
16    - attack.t1027
17    - attack.t1059.001
18logsource:
19    product: windows
20    category: ps_script
21    definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23    selection:
24        ScriptBlockText|contains:
25            - 'Set-Alias '
26            - 'New-Alias '
27    filter_main_cim:
28        ScriptBlockText:
29            - 'Set-Alias -Name ncms -Value New-CimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
30            - 'Set-Alias -Name gcls -Value Get-CimClass -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
31            - 'Set-Alias -Name ncso -Value New-CimSessionOption -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
32            - 'Set-Alias -Name gcms -Value Get-CimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
33            - 'Set-Alias -Name rcms -Value Remove-cimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
34            - 'Set-Alias -Name rcie -Value Register-CimIndicationEvent -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
35            - 'Set-Alias -Name gcai -Value Get-CimAssociatedInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
36            - 'Set-Alias -Name gcim -Value Get-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
37            - 'Set-Alias -Name scim -Value Set-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
38            - 'Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
39            - 'Set-Alias -Name rcim -Value Remove-cimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
40            - 'Set-Alias -Name icim -Value Invoke-CimMethod -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
41    condition: selection and not 1 of filter_main_*
42falsepositives:
43    - Unknown
44level: low

References

Related rules

to-top