← Back to Explore
sigmamediumHunting
Potential PendingFileRenameOperations Tampering
Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
Detection Query
selection_main:
TargetObject|contains: \CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
selection_susp_paths:
Image|contains: \Users\Public\
selection_susp_images:
Image|endswith:
- \reg.exe
- \regedit.exe
condition: selection_main and 1 of selection_susp_*
Author
frack113
Created
2023-01-27
Data Sources
windowsRegistry Set Events
Platforms
windows
References
- https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
- https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN
- https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html
- https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
Tags
attack.defense-evasionattack.t1036.003
Raw Content
title: Potential PendingFileRenameOperations Tampering
id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a
status: test
description: |
Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
references:
- https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
- https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN
- https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html
- https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
author: frack113
date: 2023-01-27
modified: 2025-10-07
tags:
- attack.defense-evasion
- attack.t1036.003
logsource:
category: registry_set
product: windows
detection:
selection_main:
TargetObject|contains: '\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations'
selection_susp_paths:
Image|contains: '\Users\Public\'
# - '\AppData\Local\Temp\' # Commented out as it's used by legitimate installers
selection_susp_images:
Image|endswith:
- '\reg.exe'
- '\regedit.exe'
condition: selection_main and 1 of selection_susp_*
falsepositives:
- Installers and updaters may set currently in use files for rename or deletion after a reboot.
level: medium