Potential PendingFileRenameOperations Tamper

Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.

Sigma rule (View on GitHub)

 1title: Potential PendingFileRenameOperations Tamper
 2id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a
 3status: test
 4description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.
 5references:
 6    - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
 7    - https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/
 8    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN
 9    - https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html
10    - https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
11author: frack113
12date: 2023/01/27
13tags:
14    - attack.defense_evasion
15    - attack.t1036.003
16logsource:
17    category: registry_set
18    product: windows
19detection:
20    selection_main:
21        EventType: 'SetValue'
22        TargetObject|contains: '\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations'
23    selection_susp_paths:
24        Image|contains:
25            - '\AppData\Local\Temp\'
26            - '\Users\Public\'
27    selection_susp_images:
28        Image|endswith:
29            - '\reg.exe'
30            - '\regedit.exe'
31    condition: selection_main and 1 of selection_susp_*
32falsepositives:
33    - Installers and updaters may set currently in use files for rename after a reboot.
34level: medium

References

Related rules

to-top