Techniques
Sample rules
Potential PendingFileRenameOperations Tampering
- source: sigma
- technicques:
- t1036
- t1036.003
Description
Detect changes to the “PendingFileRenameOperations” registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
Detection logic
condition: selection_main and 1 of selection_susp_*
selection_main:
TargetObject|contains: \CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
selection_susp_images:
Image|endswith:
- \reg.exe
- \regedit.exe
selection_susp_paths:
Image|contains: \Users\Public\