installers and updaters may set currently in use files for rename or deletion after a reboot.

t1036
t1036.003
windows
sigma

Techniques

t1036
t1036.003

Sample rules

Potential PendingFileRenameOperations Tampering

source: sigma
technicques:
- t1036
- t1036.003

Description

Detect changes to the “PendingFileRenameOperations” registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.

Detection logic

condition: selection_main and 1 of selection_susp_*
selection_main:
  EventType: SetValue
  TargetObject|contains: \CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
selection_susp_images:
  Image|endswith:
  - \reg.exe
  - \regedit.exe
selection_susp_paths:
  Image|contains:
  - \AppData\Local\Temp\
  - \Users\Public\