Suspicious Registry Modification of MaxMpxCt Parameters
Detects registry modifications to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.
Sigma rule (View on GitHub)
1title: Suspicious Registry Modification of MaxMpxCt Parameters
2id: 9fc5784b-50ab-4f0e-8044-5e15990d48a1
3status: experimental
4description: Detects registry modifications to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.
5references:
6 - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
7author: Micah Babinski
8date: 2022/12/04
9tags:
10 - attack.command_and_control
11 - attack.defense_evasion
12 - attack.t1105
13 - attack.t1562
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 CommandLine|contains|all:
20 - 'LanmanServer'
21 - 'parameters'
22 - 'MaxMpxCt'
23 - '65535'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high```
References
-
The use of an unconventional programming language, multiple target devices and possible entry points, and affiliation with prolific threat activity groups have made the BlackCat ransomware a prevalent threat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy.
Read More
Related rules
- Executable Deployment from Remote Share
- Tampering of Windows Defender with Reg
- Abusing PowerShell to Disable Defender Components
- Abusing PowerShell to Modify Defender Components
- BITSAdmin Downloading Malicious Binaries