diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv
index 37227c5c3..5a309c5e7 100644
--- a/.github/workflows/known-FPs.csv
+++ b/.github/workflows/known-FPs.csv
@@ -52,3 +52,5 @@ b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;7z\.exe
 65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;powershell\.exe
 a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: DESKTOP-A8CALR3
 a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: WIN-06FB45IHQ35
+4eec988f-7bf0-49f1-8675-1e6a510b3a2a;Potential PendingFileRenameOperations Tamper;target\.exe
+4eec988f-7bf0-49f1-8675-1e6a510b3a2a;Potential PendingFileRenameOperations Tamper;target\.tmp
diff --git a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml
new file mode 100644
index 000000000..aba450b50
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml
@@ -0,0 +1,34 @@
+title: Potential PendingFileRenameOperations Tamper
+id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a
+status: experimental
+description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.
+references:
+    - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
+    - https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/
+    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN
+    - https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html
+    - https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
+author: frack113
+date: 2023/01/27
+tags:
+    - attack.defense_evasion
+    - attack.t1036.003
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection_main:
+        EventType: 'SetValue'
+        TargetObject|contains: '\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations'
+    selection_susp_paths:
+        Image|contains:
+            - '\AppData\Local\Temp\'
+            - '\Users\Public\'
+    selection_susp_images:
+        Image|endswith:
+            - '\reg.exe'
+            - '\regedit.exe'
+    condition: selection_main and 1 of selection_susp_*
+falsepositives:
+    - Installers and updaters may set currently in use files for rename after a reboot.
+level: medium