legitimate system updates or rollback processes may create or modify pending.xml files in non-standard locations. verify with it change management to reduce false alerts.

t1112
t1689
endpoint
splunk

Techniques

T1112
T1689

Sample rules

Windows Downdate Registry Activity

source: splunk
technicques:
- T1112
- T1689

Description

Detects the setting of a pending.xml file associated with the Windows Downdate attack which forces a Windows downgrade to enable exploitation. Looks for uses of a pending.xml outside of typical locations.

Detection logic

`sysmon`
EventID IN (
    12,
    13,
    14
)
TargetObject IN (
    "*PoqexecCmdline",
    "*COMPONENTS\\PendingXmlIdentifier"
)
NOT ProcessPath="*:\\Windows\\WinSxS\\*"


| fillnull

| stats count min(_time) as firstTime
              max(_time) as lastTime

  by EventID TargetObject ProcessPath Computer action process_guid process_id
     registry_hive registry_path registry_key_name registry_value_data registry_value_name
     status user vendor_product


| rename Computer as dest

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_downdate_registry_activity_filter`