Potential PendingFileRenameOperations Tampering
Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
Sigma rule (View on GitHub)
1title: Potential PendingFileRenameOperations Tampering
2id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a
3status: test
4description: |
5 Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
6references:
7 - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
8 - https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/
9 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN
10 - https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html
11 - https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
12author: frack113
13date: 2023-01-27
14modified: 2024-07-03
15tags:
16 - attack.defense-evasion
17 - attack.t1036.003
18logsource:
19 category: registry_set
20 product: windows
21detection:
22 selection_main:
23 EventType: 'SetValue'
24 TargetObject|contains: '\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations'
25 selection_susp_paths:
26 Image|contains:
27 - '\AppData\Local\Temp\'
28 - '\Users\Public\'
29 selection_susp_images:
30 Image|endswith:
31 - '\reg.exe'
32 - '\regedit.exe'
33 condition: selection_main and 1 of selection_susp_*
34falsepositives:
35 - Installers and updaters may set currently in use files for rename or deletion after a reboot.
36level: medium
References
-
-
Summary: Guest blogger, Brian Wilhite, talks about using Windows PowerShell to determine pending reboot status. Microsoft Scripting Guy, Ed Wilson, is here. Today we have the first of a two-part series about using Windows PowerShell to determine if a reboot is pending. Brian Wilhite, the writer, is no stranger to readers of the Hey, Scripting […]
Read More -
PendingFileRenameOperations Article 03/04/2010 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager REG_MULTI_SZ File name pairs (There is no default value for this entry.) Description Stores the ...
Read More -
The fetched payload is a long script consisting of three components: Tater (Hot Potato – privilege escalation) PowerSploit Embedded exploit bundle binary (privilege escalation) The script targets 6...
Read More -
This new iteration of Purple Fox that we came across, delivered by Rig, has a few new tricks up its sleeve. It retains its rootkit component by abusing publicly available code. It also abuses PowerShell making it capable of fileless infection.
Read More
Related rules
- File Download Via Bitsadmin
- File Download Via Bitsadmin To A Suspicious Target Folder
- File Download Via Bitsadmin To An Uncommon Target Folder
- File With Suspicious Extension Downloaded Via Bitsadmin
- LOL-Binary Copied From System Directory