MaxMpxCt Registry Value Changed
Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
Sigma rule (View on GitHub)
1title: MaxMpxCt Registry Value Changed
2id: 0e6a9e62-627e-496c-aef5-bfa39da29b5e
3status: experimental
4description: |
5 Detects changes to the "MaxMpxCt" registry value.
6 MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.
7 Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
8references:
9 - https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
10 - https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware
11 - https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
12 - https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2024/03/19
15tags:
16 - attack.defense_evasion
17 - attack.t1070.005
18logsource:
19 category: registry_set
20 product: windows
21detection:
22 selection:
23 TargetObject|endswith: '\Services\LanmanServer\Parameters\MaxMpxCt'
24 condition: selection
25falsepositives:
26 - Unknown
27level: low
References
-
This blog post provides a detailed look at the TTPs of a ransomware affiliate operator. In this case, the endpoint had been moved to another infrastructure (as illustrated by various command lines, and confirmed by the partner), so while Huntress SOC analysts reported the activity to the partner, no Huntress customer was impacted by the ransomware deployment.
Read More -
ALPHV/BlackCat is the first widely known ransomware written in Rust. The malware must run with an access token consisting of a 32-byte value (--access-token parameter), and other parameters can be specified. Learn about its particular behaviors.
Read More -
ALPHV (or BlackCat or Noberus) ransomware emerged only last December and is already considered as a genuine threat that blue teams should be ready to fight against while little is known on the employed entry vector(s).
Read More -
With victims in the US, Australia and India, BlackCat is a new RaaS making a big impact. Learn more about this unique ransomware's behavior and IoCs.
Read More
Related rules
- Disable Administrative Share Creation at Startup
- Unmount Share Via Net.EXE
- PowerShell Deleted Mounted Share
- Add SafeBoot Keys Via Reg Utility
- EVTX Created In Uncommon Location