Suspicious Registry Key Set (MaxMpxCt)
Detects registry value set to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.
Sigma rule (View on GitHub)
1title: 'Suspicious Registry Key Set (MaxMpxCt)'
2id: 4bd730d9-37d6-4a87-b392-ffb9ab52bf21
3status: experimental
4description: Detects registry value set to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.
5references:
6 - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
7author: Micah Babinski
8date: 2022/12/04
9tags:
10 - attack.command_and_control
11 - attack.defense_evasion
12 - attack.t1105
13 - attack.t1562
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 EventType: SetValue
20 TargetObject: 'HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\MaxMpxCt'
21 Details: 'DWORD (0x0000ffff)'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high```
References
-
The use of an unconventional programming language, multiple target devices and possible entry points, and affiliation with prolific threat activity groups have made the BlackCat ransomware a prevalent threat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy.
Read More
Related rules
- Suspicious Registry Key Added: LanmanServer Parameters
- Suspicious Registry Modification of MaxMpxCt Parameters
- Powershell MS Defender Tampering - ScriptBlockLogging
- Executable Deployment from Remote Share
- Tampering of Windows Defender with Reg