From 7ea3db18f7a6db3cda4598cd9972b2983e04f343 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Fri, 27 Jan 2023 15:09:43 +0100
Subject: [PATCH] Fix test errors

---
 .github/workflows/known-FPs.csv                                 | 2 ++
 .../registry_set_susp_pendingfilerenameoperations.yml           | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv
index 37227c5c3..5a309c5e7 100644
--- a/.github/workflows/known-FPs.csv
+++ b/.github/workflows/known-FPs.csv
@@ -52,3 +52,5 @@ b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;7z\.exe
 65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;powershell\.exe
 a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: DESKTOP-A8CALR3
 a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: WIN-06FB45IHQ35
+4eec988f-7bf0-49f1-8675-1e6a510b3a2a;Potential PendingFileRenameOperations Tamper;target\.exe
+4eec988f-7bf0-49f1-8675-1e6a510b3a2a;Potential PendingFileRenameOperations Tamper;target\.tmp
diff --git a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml
index fd4396ec6..aba450b50 100644
--- a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml
+++ b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml
@@ -25,7 +25,7 @@ detection:
             - '\AppData\Local\Temp\'
             - '\Users\Public\'
     selection_susp_images:
-        - Image|endswith:
+        Image|endswith:
             - '\reg.exe'
             - '\regedit.exe'
     condition: selection_main and 1 of selection_susp_*