Potential PendingFileRenameOperations Tamper

Rule Info

Name
Potential PendingFileRenameOperations Tamper
Author
frack113
Description
Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.
Reference
https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
Date
2023-01-27 00:00:00
Modified
None
Id
4eec988f-7bf0-49f1-8675-1e6a510b3a2a
Tags
attack.defense_evasion attack.t1036.003 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=4eec988f-7bf0-49f1-8675-1e6a510b3a2a

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #4611 from @nasbench - Promote Older Rules Status From `experimental` To `test`
2023-12-01
ae960f088
frack113
Fix test errors
2023-01-27
7ea3db18f
Nasreddine Bencherchali
fix: update metadata
2023-01-27
35dabc529
frack113
Update registry_set_susp_pendingfilerenameoperations.yml
2023-01-27
0f9ce8de6
frack113
Add registry_set_susp_pendingfilerenameoperations
2023-01-27
40dffb5c9
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022