Potential PendingFileRenameOperations Tampering
Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
Sigma rule (View on GitHub)
1title: Potential PendingFileRenameOperations Tampering
2id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a
3status: test
4description: |
5 Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
6references:
7 - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
8 - https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/
9 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN
10 - https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html
11 - https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
12author: frack113
13date: 2023/01/27
14modified: 2024/07/03
15tags:
16 - attack.defense_evasion
17 - attack.t1036.003
18logsource:
19 category: registry_set
20 product: windows
21detection:
22 selection_main:
23 EventType: 'SetValue'
24 TargetObject|contains: '\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations'
25 selection_susp_paths:
26 Image|contains:
27 - '\AppData\Local\Temp\'
28 - '\Users\Public\'
29 selection_susp_images:
30 Image|endswith:
31 - '\reg.exe'
32 - '\regedit.exe'
33 condition: selection_main and 1 of selection_susp_*
34falsepositives:
35 - Installers and updaters may set currently in use files for rename or deletion after a reboot.
36level: medium
References
Related rules
- Renamed ProcDump Execution
- Suspicious Start-Process PassThru
- LOL-Binary Copied From System Directory
- File Download Via Bitsadmin To A Suspicious Target Folder
- File With Suspicious Extension Downloaded Via Bitsadmin