Suspicious Registry Modification of MaxMpxCt Parameters

Dec 6, 2022 · attack.command_and_control attack.defense_evasion attack.t1105 attack.t1562 ·

Detects registry modifications to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Sigma rule (View on GitHub)

 1title: Suspicious Registry Modification of MaxMpxCt Parameters
 2id: 9fc5784b-50ab-4f0e-8044-5e15990d48a1
 3status: experimental
 4description: Detects registry modifications to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.
 5references:
 6    - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
 7author: Micah Babinski
 8date: 2022/12/04
 9tags:
10    - attack.command_and_control
11    - attack.defense_evasion
12    - attack.t1105
13    - attack.t1562
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        CommandLine|contains|all:
20            - 'LanmanServer'
21            - 'parameters'
22            - 'MaxMpxCt'
23            - '65535'
24    condition: selection
25falsepositives:
26    - Unknown
27level: high```

References

https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/

Read More

Suspicious Registry Modification of MaxMpxCt Parameters

Sigma rule (View on GitHub)

References

https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/

Related rules