LoFP LoFP / installers and updaters may set currently in use files for rename after a reboot.

Techniques

Sample rules

Potential PendingFileRenameOperations Tamper

Description

Detect changes to the “PendingFileRenameOperations” registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.

Detection logic

condition: selection_main and 1 of selection_susp_*
selection_main:
  EventType: SetValue
  TargetObject|contains: \CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
selection_susp_images:
  Image|endswith:
  - \reg.exe
  - \regedit.exe
selection_susp_paths:
  Image|contains:
  - \AppData\Local\Temp\
  - \Users\Public\