From 40dffb5c92ccc6ba98a28cfd90510a3097d37099 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 27 Jan 2023 10:49:58 +0100 Subject: [PATCH 1/4] Add registry_set_susp_pendingfilerenameoperations --- ...y_set_susp_pendingfilerenameoperations.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml diff --git a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml new file mode 100644 index 000000000..6e373eef0 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml @@ -0,0 +1,27 @@ +title: Set PendingFileRenameOperations to Rename File +id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a +status: experimental +description: Detect use of the PendingFileRenameOperations to rename a file in a suspicious folder. +references: + - https://app.any.run/tasks/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6/ + - https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/ +author: frack113 +date: 2023/01/27 +tags: + - attack.defense_evasion + - attack.t1036.003 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: 'SetValue' + TargetObject|endswith: '\SYSTEM\ControlSet001\Control\SESSION MANAGER\PendingFileRenameOperations' + Details|contains: + - '\AppData\' + - '\Users\Public\' + - '\Temp\' + condition: selection +falsepositives: + - Unknown +level: medium From 0f9ce8de6056d6610b4977b7bee1ab7a1eed3923 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 27 Jan 2023 11:09:45 +0100 Subject: [PATCH 2/4] Update registry_set_susp_pendingfilerenameoperations.yml --- .../registry_set_susp_pendingfilerenameoperations.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml index 6e373eef0..78394195a 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml @@ -16,11 +16,10 @@ logsource: detection: selection: EventType: 'SetValue' - TargetObject|endswith: '\SYSTEM\ControlSet001\Control\SESSION MANAGER\PendingFileRenameOperations' + TargetObject|endswith: '\SYSTEM\CurrentControlSet\Control\SESSION MANAGER\PendingFileRenameOperations' Details|contains: - - '\AppData\' + - '\AppData\Local\Temp\' - '\Users\Public\' - - '\Temp\' condition: selection falsepositives: - Unknown From 35dabc529cd9b4b46ff7dca0f13d3be552c3d598 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 27 Jan 2023 13:55:19 +0100 Subject: [PATCH 3/4] fix: update metadata --- ...y_set_susp_pendingfilerenameoperations.yml | 26 ++++++++++++------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml index 78394195a..fd4396ec6 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml @@ -1,26 +1,34 @@ -title: Set PendingFileRenameOperations to Rename File +title: Potential PendingFileRenameOperations Tamper id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a status: experimental -description: Detect use of the PendingFileRenameOperations to rename a file in a suspicious folder. +description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot. references: - - https://app.any.run/tasks/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6/ + - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6 - https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/ + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN + - https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html + - https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html author: frack113 date: 2023/01/27 tags: - attack.defense_evasion - - attack.t1036.003 + - attack.t1036.003 logsource: category: registry_set product: windows detection: - selection: + selection_main: EventType: 'SetValue' - TargetObject|endswith: '\SYSTEM\CurrentControlSet\Control\SESSION MANAGER\PendingFileRenameOperations' - Details|contains: + TargetObject|contains: '\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations' + selection_susp_paths: + Image|contains: - '\AppData\Local\Temp\' - '\Users\Public\' - condition: selection + selection_susp_images: + - Image|endswith: + - '\reg.exe' + - '\regedit.exe' + condition: selection_main and 1 of selection_susp_* falsepositives: - - Unknown + - Installers and updaters may set currently in use files for rename after a reboot. level: medium From 7ea3db18f7a6db3cda4598cd9972b2983e04f343 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 27 Jan 2023 15:09:43 +0100 Subject: [PATCH 4/4] Fix test errors --- .github/workflows/known-FPs.csv | 2 ++ .../registry_set_susp_pendingfilerenameoperations.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 37227c5c3..5a309c5e7 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -52,3 +52,5 @@ b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;7z\.exe 65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;powershell\.exe a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: DESKTOP-A8CALR3 a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: WIN-06FB45IHQ35 +4eec988f-7bf0-49f1-8675-1e6a510b3a2a;Potential PendingFileRenameOperations Tamper;target\.exe +4eec988f-7bf0-49f1-8675-1e6a510b3a2a;Potential PendingFileRenameOperations Tamper;target\.tmp diff --git a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml index fd4396ec6..aba450b50 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml @@ -25,7 +25,7 @@ detection: - '\AppData\Local\Temp\' - '\Users\Public\' selection_susp_images: - - Image|endswith: + Image|endswith: - '\reg.exe' - '\regedit.exe' condition: selection_main and 1 of selection_susp_*