Home/CVE-2023-29068/Sigma rules
Sigma

Sigma rules for CVE-2023-29068

1 rules · scoped to cve · back to CVE-2023-29068
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

1 of 1
direct low
Potential PowerShell Obfuscation Using Alias Cmdlets
Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
status test author frack113 id 96cd126d-f970-49c4-848a-da3a09f55c55 license Sigma · DRL-1.1
view Sigma YAML 
title: Potential PowerShell Obfuscation Using Alias Cmdlets
id: 96cd126d-f970-49c4-848a-da3a09f55c55
related:
    - id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
      type: derived
status: test
description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
references:
    - https://github.com/1337Rin/Swag-PSO
author: frack113
date: 2023-01-08
modified: 2025-10-22
tags:
    - attack.execution
    - attack.stealth
    - attack.t1027
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Set-Alias '
            - 'New-Alias '
    filter_main_cim:
        ScriptBlockText:
            - 'Set-Alias -Name ncms -Value New-CimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name gcls -Value Get-CimClass -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name ncso -Value New-CimSessionOption -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name gcms -Value Get-CimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name rcms -Value Remove-cimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name rcie -Value Register-CimIndicationEvent -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name gcai -Value Get-CimAssociatedInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name gcim -Value Get-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name scim -Value Set-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name rcim -Value Remove-cimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name icim -Value Invoke-CimMethod -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: low
Showing 1-1 of 1
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin