Detects the use of the iisreset.exe utility to stop IIS web services. This is used to prevent users from accessing IIS web resources, thereby releasing/preventing locks which could inhibit ransomware-related encryption.

Read More

Detects registry addition for LanmanServer MaxMpxCt. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Read More

Detects registry value set to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Read More

Detects powershell scripts attempting to disable MS Defender components using Set-MpPreference as performed by Vice Society ransomware gang. This includes additional techniques to evade existing rules by feeding in a proxy value of $true using a powershell boolean expression like (0 -eq $false).

Read More

Detects registry modifications to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Read More

Detects use of the reg utility to tamper with MS Defender protections.

Read More

Looks for instances of powershell being used to disable or impair Windows Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for instances of powershell being used to modify or degrade Windows Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.

Read More