Potential PendingFileRenameOperations Tampering
Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
Sigma rule (View on GitHub)
1title: Potential PendingFileRenameOperations Tampering
2id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a
3status: test
4description: |
5 Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
6references:
7 - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
8 - https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/
9 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN
10 - https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html
11 - https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
12author: frack113
13date: 2023/01/27
14modified: 2024/07/03
15tags:
16 - attack.defense_evasion
17 - attack.t1036.003
18logsource:
19 category: registry_set
20 product: windows
21detection:
22 selection_main:
23 EventType: 'SetValue'
24 TargetObject|contains: '\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations'
25 selection_susp_paths:
26 Image|contains:
27 - '\AppData\Local\Temp\'
28 - '\Users\Public\'
29 selection_susp_images:
30 Image|endswith:
31 - '\reg.exe'
32 - '\regedit.exe'
33 condition: selection_main and 1 of selection_susp_*
34falsepositives:
35 - Installers and updaters may set currently in use files for rename or deletion after a reboot.
36level: medium
References
-
-
Summary: Guest blogger, Brian Wilhite, talks about using Windows PowerShell to determine pending reboot status. Microsoft Scripting Guy, Ed Wilson, is here. Today we have the first of a two-part series about using Windows PowerShell to determine if a reboot is pending.
Read More -
PendingFileRenameOperations Article 03/04/2010 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager REG_MULTI_SZ File name pairs (There is no default value for this entry.) Description Stores the ...
Read More -
The fetched payload is a long script consisting of three components: Tater (Hot Potato – privilege escalation) PowerSploit Embedded exploit bundle binary (privilege escalation) The script targets 6...
Read More -
This new iteration of Purple Fox that we came across, delivered by Rig, has a few new tricks up its sleeve. It retains its rootkit component by abusing publicly available code. It also abuses PowerShell making it capable of fileless infection.
Read More
Related rules
- Renamed ProcDump Execution
- Suspicious Start-Process PassThru
- LOL-Binary Copied From System Directory
- File Download Via Bitsadmin To A Suspicious Target Folder
- File With Suspicious Extension Downloaded Via Bitsadmin