Suspicious Registry Key Added: LanmanServer Parameters
Detects registry addition for LanmanServer MaxMpxCt. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.
Sigma rule (View on GitHub)
1title: 'Suspicious Registry Key Added: LanmanServer Parameters'
2id: 9c5df39b-0fe2-450b-bc90-a1b748dca8af
3status: experimental
4description: Detects registry addition for LanmanServer MaxMpxCt. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.
5references:
6 - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
7author: Micah Babinski
8date: 2022/12/04
9tags:
10 - attack.command_and_control
11 - attack.defense_evasion
12 - attack.t1105
13 - attack.t1562
14logsource:
15 category: registry_add
16 product: windows
17detection:
18 selection:
19 EventType: CreateKey
20 TargetObject: 'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high```
References
-
The use of an unconventional programming language, multiple target devices and possible entry points, and affiliation with prolific threat activity groups have made the BlackCat ransomware a prevalent threat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy.
Read More
Related rules
- Suspicious Registry Key Set (MaxMpxCt)
- Suspicious Registry Modification of MaxMpxCt Parameters
- Powershell MS Defender Tampering - ScriptBlockLogging
- Executable Deployment from Remote Share
- Tampering of Windows Defender with Reg