Potential PendingFileRenameOperations Tampering
Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
Sigma rule (View on GitHub)
1title: Potential PendingFileRenameOperations Tampering
2id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a
3status: test
4description: |
5 Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
6references:
7 - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
8 - https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/
9 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN
10 - https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html
11 - https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
12author: frack113
13date: 2023-01-27
14modified: 2024-07-03
15tags:
16 - attack.defense-evasion
17 - attack.t1036.003
18logsource:
19 category: registry_set
20 product: windows
21detection:
22 selection_main:
23 TargetObject|contains: '\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations'
24 selection_susp_paths:
25 Image|contains:
26 - '\AppData\Local\Temp\'
27 - '\Users\Public\'
28 selection_susp_images:
29 Image|endswith:
30 - '\reg.exe'
31 - '\regedit.exe'
32 condition: selection_main and 1 of selection_susp_*
33falsepositives:
34 - Installers and updaters may set currently in use files for rename or deletion after a reboot.
35level: medium
References
-
-
Summary: Guest blogger, Brian Wilhite, talks about using Windows PowerShell to determine pending reboot status. Microsoft Scripting Guy, Ed Wilson, is here. Today we have the first of a two-part series about using Windows PowerShell to determine if a reboot is pending. Brian Wilhite, the writer, is no stranger to readers of the Hey, Scripting […]
Read More -
Note Access to this page requires authorization. You can try signing in or changing directories. Access to this page requires authorization. You can try changing directories. PendingFileRenameOpera...
Read More -
The fetched payload is a long script consisting of three components: Tater (Hot Potato – privilege escalation) PowerSploit Embedded exploit bundle binary (privilege escalation) The script targets 6...
Read More -
This new iteration of Purple Fox that we came across, delivered by Rig, has a few new tricks up its sleeve. It retains its rootkit component by abusing publicly available code. It also abuses PowerShell making it capable of fileless infection.
Read More
Related rules
- Potential WerFault ReflectDebugger Registry Value Abuse
- Potential Defense Evasion Via Binary Rename
- Suspicious Download From File-Sharing Website Via Bitsadmin
- Remote Access Tool - Renamed MeshAgent Execution - MacOS
- Remote Access Tool - Renamed MeshAgent Execution - Windows