diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml
new file mode 100644
index 000000000..f104cc619
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml
@@ -0,0 +1,39 @@
+title: Suspicious Powershell Alias
+id: 96cd126d-f970-49c4-848a-da3a09f55c55
+status: experimental
+description: Detects Set-Alias or New-Alias that can be use to obfuscate powershell scripts
+references:
+    - https://github.com/1337Rin/Swag-PSO
+author: frack113
+date: 2023/01/08
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1027
+    - attack.t1059.001 
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection_cmdlet:
+        ScriptBlockText|contains:
+            - 'Set-Alias '
+            - 'New-Alias '
+    selection_name:
+        ScriptBlockText|contains:
+            - '-Name '
+            - '-Nam '
+            - '-Na '
+            - '-N '
+    selection_value:
+        ScriptBlockText|contains:
+            - '-Value '
+            - '-Valu '
+            - '-Val '
+            - '-Va '
+            - '-V '
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: low