We believe that our investors reflect and share our team’s core values, a commitment to a better, safer cyber world, through technology, innovation, diversity and privacy. Together, we are building an Open Core company, with an international community at its heart.
At the core of each threat detection capability lies the combination of timely data and algorithms to find evil. Since 1999, these challenges are addressed with Log Analytics and SIEM systems, generating security alerts. Two decades have passed and most of SIEM tech will help you to deploy hundreds of rules for alerting, while data lakes and built-in fast search databases will extend this with support of a few thousand of threat hunting queries. It is with AI, that we can augment those capabilities to monitor hundreds of thousands of malicious behavior patterns, anomalies and emerging threats, while avoiding double taxation on cost, keeping our privacy and data. SOC Prime delivers AI capabilities to any SOC as SaaS or on premise, as Content.
Moving algorithms is orders of magnitude less compute taxing than moving terabytes of data. Which is exactly what SOC Prime is doing: we research emerging threats with help of our community, code detections into rules, queries and AI models, and deliver them to you, instead of asking for your data, duplicating it to our cloud or systems. We always train on premise, so that yours and ours datasets are private and don’t leak to 3rd parties. We will design the most compute efficient way for detecting all the latest threats at your organization, so that we can spare those CPU cycles and help the Planet to carry on.
SOC Prime works with a number of open source projects, and contributes feedback and code back, being an Open Core company. In 2023, we have open sourced Uncoder AI, our co-pilot for Detecting Engineering, which can be operated air gapped, or in the cloud, with the latter benefiting from centralization features. Next plans include integrating Uncoder with MITRE TRAM, an open source Apache 2.0 project for language recognition and CTI analysis. With coming up private AI models, we are also sharing the code to operate them.
Privacy, transparency, speed and security are at the core of SOC Prime technology. We use the best tech stack with focus on open source, for the maximum benefit of our community, while advancing innovation in cybersecurity.
SOC Prime has been actively leveraging ATT&CK in threat detection practices and initial cyber attack attribution to facilitate its adoption as the industry benchmark. SOC Prime invented the whole concept of tagging Sigma rules with ATT&CK and applied it to the public NotPetya investigation and the first-pass attribution in 2017. At the very first MITRE ATT&CK EU Community workshop in 2018 in Luxembourg, we solidified the concept into practice with the support of like-minded cyber defense practitioners.
Sigma and ATT&CK, the two open-source standards, have empowered hundreds of researchers to describe attackers’ behavior, while SOC Prime Platform made it easy to discover and analyze adversary TTPs, find blind spots in log source coverage, address existing gaps, prioritize detection procedures, and share the TTP context with peers in 45 major SIEM, EDR, and Data Lake detection languages.
name: Possible Credential Dumping Using Comsvcs.dll (via cmdline)
details: Adversaries can use built-in library comsvcs.dll to dump credentials
on a compromised host.
author: SOC Prime Team
severity: high
type: query
class: behaviour
date: 2020-05-24
mitre-attack: t1003.001
timeline:
2022-04-01 - 2022-08-08: Bumblebee
2022-07-27: KNOTWEED
2022-12-04: UAC-0082, CERT-UA#4435
logsource:
product: Windows # Sigma or OCSF product
log_name: Security # OCSF log name
class_name: Process Activity # OCSF class
#category: # Sigma category
#service: # Sigma service
audit:
source: Windows Security Event Log
enable: Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process
detection:
language: splunk-spl-query
body: index=* ((((process="*comsvcs*") AND (process="*MiniDump*")) OR ((process="*comsvcs*") AND (process="*#24*"))) OR ((process="*comsvcs*") AND (process="*full*")))
references:
- https://badoption.eu/blog/2023/06/21/dumpit.html
tags: Bumblebee, UAC-0082, CERT-UA#4435, KNOTWEED, Comsvcs, cir_ttps, ContentlistEndpoint
license: DRL
version: 1
uuid: 151fbb45-0048-497a-95ec-2fa733bb15dc
#correlation: [] # extended format
#response: [] # extended format
Explore AI capabilities with a free community access and engage in discussions at our dedicated Discord space. If you’re looking to extend cyber defences of your organization with AI, threat intelligence and Detection as Code, we’d be happy to speak.