Detectionlowtest

MaxMpxCt Registry Value Changed

Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Tue Mar 190e6a9e62-627e-496c-aef5-bfa39da29b5ewindows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|endswith: '\Services\LanmanServer\Parameters\MaxMpxCt'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

huntress.com

Resolving title…

securityscorecard.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1070.005 · Network Share Connection Removal

Rule Metadata

Rule ID

0e6a9e62-627e-496c-aef5-bfa39da29b5e

Status

test

Level

low

Type

Detection

Created

Tue Mar 19

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml

Raw Tags

attack.defense-evasionattack.t1070.005

View on GitHub