MaxMpxCt Registry Value Changed

Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.

Sigma rule (View on GitHub)

 1title: MaxMpxCt Registry Value Changed
 2id: 0e6a9e62-627e-496c-aef5-bfa39da29b5e
 3status: experimental
 4description: |
 5    Detects changes to the "MaxMpxCt" registry value.
 6    MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.
 7    Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.    
 8references:
 9    - https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
10    - https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware
11    - https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
12    - https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2024-03-19
15tags:
16    - attack.defense-evasion
17    - attack.t1070.005
18logsource:
19    category: registry_set
20    product: windows
21detection:
22    selection:
23        TargetObject|endswith: '\Services\LanmanServer\Parameters\MaxMpxCt'
24    condition: selection
25falsepositives:
26    - Unknown
27level: low

References

Related rules

to-top