Suspicious Registry Key Set (MaxMpxCt)
Detects registry value set to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.
Sigma rule (View on GitHub)
1title: 'Suspicious Registry Key Set (MaxMpxCt)'
2id: 4bd730d9-37d6-4a87-b392-ffb9ab52bf21
3status: experimental
4description: Detects registry value set to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.
5references:
6 - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
7author: Micah Babinski
8date: 2022/12/04
9tags:
10 - attack.command_and_control
11 - attack.defense_evasion
12 - attack.t1105
13 - attack.t1562
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 EventType: SetValue
20 TargetObject: 'HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\MaxMpxCt'
21 Details: 'DWORD (0x0000ffff)'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high```
References
Related rules
- Suspicious Registry Key Added: LanmanServer Parameters
- Suspicious Registry Modification of MaxMpxCt Parameters
- Powershell MS Defender Tampering - ScriptBlockLogging
- Cisco Stage Data
- ETW Logging Disabled In .NET Processes - Registry