From e1d0959ba1cf7bb233c3219dfcc5af086921c9c9 Mon Sep 17 00:00:00 2001
From: akshat4703 <akshat4703@gmail.com>
Date: Mon, 9 Mar 2026 12:39:33 +0530
Subject: [PATCH 1/2] PendingFileRenameOperations

---
 ...ingfilerenameoperations-registry-value.yml | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 nursery/persist-via-pendingfilerenameoperations-registry-value.yml

diff --git a/nursery/persist-via-pendingfilerenameoperations-registry-value.yml b/nursery/persist-via-pendingfilerenameoperations-registry-value.yml
new file mode 100644
index 000000000..a5dfa4235
--- /dev/null
+++ b/nursery/persist-via-pendingfilerenameoperations-registry-value.yml
@@ -0,0 +1,22 @@
+rule:
+  meta:
+    name: persist via PendingFileRenameOperations registry value
+    namespace: persistence/registry
+    authors:
+      - akshat4703
+    scopes:
+      static: function
+      dynamic: span of calls
+    references:
+      - https://github.com/mandiant/capa-rules/issues/911
+      - https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-movefileexa
+      - https://forensicatorj.wordpress.com/2014/06/25/interpreting-the-pendingfilerenameoperations-registry-key-for-forensics/
+    examples:
+      - ac742739cae0d411dfcb78ae99a7baee:0x140002318
+  features:
+    - and:
+      - or:
+        - match: set registry value
+        - number: 0x80000002 = HKEY_LOCAL_MACHINE
+      - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Control\\Session Manager/i
+      - string: /PendingFileRenameOperations/i

From 06a164aab0227b46115de0dc33065f45d608e832 Mon Sep 17 00:00:00 2001
From: akshat4703 <akshat4703@gmail.com>
Date: Mon, 9 Mar 2026 18:41:53 +0530
Subject: [PATCH 2/2] commit-resolved

---
 .../persist-via-pendingfilerenameoperations-registry-value.yml   | 1 -
 1 file changed, 1 deletion(-)

diff --git a/nursery/persist-via-pendingfilerenameoperations-registry-value.yml b/nursery/persist-via-pendingfilerenameoperations-registry-value.yml
index a5dfa4235..b8809e64d 100644
--- a/nursery/persist-via-pendingfilerenameoperations-registry-value.yml
+++ b/nursery/persist-via-pendingfilerenameoperations-registry-value.yml
@@ -8,7 +8,6 @@ rule:
       static: function
       dynamic: span of calls
     references:
-      - https://github.com/mandiant/capa-rules/issues/911
       - https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-movefileexa
       - https://forensicatorj.wordpress.com/2014/06/25/interpreting-the-pendingfilerenameoperations-registry-key-for-forensics/
     examples: