From 35dabc529cd9b4b46ff7dca0f13d3be552c3d598 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 27 Jan 2023 13:55:19 +0100
Subject: [PATCH] fix: update metadata

---
 ...y_set_susp_pendingfilerenameoperations.yml | 26 ++++++++++++-------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml
index 78394195a..fd4396ec6 100644
--- a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml
+++ b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml
@@ -1,26 +1,34 @@
-title: Set PendingFileRenameOperations to Rename File
+title: Potential PendingFileRenameOperations Tamper
 id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a
 status: experimental
-description: Detect use of the PendingFileRenameOperations to rename a file in a suspicious folder.
+description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.
 references:
-    - https://app.any.run/tasks/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6/
+    - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
     - https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/
+    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN
+    - https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html
+    - https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
 author: frack113
 date: 2023/01/27
 tags:
     - attack.defense_evasion
-    - attack.t1036.003 
+    - attack.t1036.003
 logsource:
     category: registry_set
     product: windows
 detection:
-    selection:
+    selection_main:
         EventType: 'SetValue'
-        TargetObject|endswith: '\SYSTEM\CurrentControlSet\Control\SESSION MANAGER\PendingFileRenameOperations'
-        Details|contains: 
+        TargetObject|contains: '\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations'
+    selection_susp_paths:
+        Image|contains:
             - '\AppData\Local\Temp\'
             - '\Users\Public\'
-    condition: selection
+    selection_susp_images:
+        - Image|endswith:
+            - '\reg.exe'
+            - '\regedit.exe'
+    condition: selection_main and 1 of selection_susp_*
 falsepositives:
-    - Unknown
+    - Installers and updaters may set currently in use files for rename after a reboot.
 level: medium