Suspicious Registry Key Added: LanmanServer Parameters
Detects registry addition for LanmanServer MaxMpxCt. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.
Sigma rule (View on GitHub)
1title: 'Suspicious Registry Key Added: LanmanServer Parameters'
2id: 9c5df39b-0fe2-450b-bc90-a1b748dca8af
3status: experimental
4description: Detects registry addition for LanmanServer MaxMpxCt. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.
5references:
6 - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
7author: Micah Babinski
8date: 2022/12/04
9tags:
10 - attack.command_and_control
11 - attack.defense_evasion
12 - attack.t1105
13 - attack.t1562
14logsource:
15 category: registry_add
16 product: windows
17detection:
18 selection:
19 EventType: CreateKey
20 TargetObject: 'SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high```
References
Related rules
- Suspicious Registry Key Set (MaxMpxCt)
- Suspicious Registry Modification of MaxMpxCt Parameters
- Powershell MS Defender Tampering - ScriptBlockLogging
- Cisco Stage Data
- ETW Logging Disabled In .NET Processes - Registry