SOC Prime Threat Bounty Digest — April 2024 Results
Table of contents:
Threat Bounty Publications
Enthusiastic members of the Threat Bounty Program submitted more than 250 detections for review and a chance to have their detections published on the SOC Prime Platform and rating-based rewards. All the rules were carefully reviewed by our team of distinguished detection engineers, and as a result, 59 of the submitted rules were published on the Threat Detection Marketplace.
For Threat Bounty content publications, all the submitted detections are reviewed by an experienced team to determine whether the content acceptance criteria are met. We encourage the program members to adhere to the Threat Bounty content acceptance requirements to ensure that developed rules have a high chance of publication and that authors spend their efforts on content development reasonably and efficiently.
TOP Threat Bounty Detection Rules
Please see the detection rules that were the most popular among the companies that leverage the SOC Prime Platform for their security operations:
- Suspicious SSLoad Malware Persistence Activity for Malicious Use with Cobalt Strike of by Detection of Associated Commands (via process_creation) threat hunting Sigma rule by Davut Selcuk detects suspicious SSLoad malware persistence activity potentially associated with the deployment of Cobalt Strike. The detection is based on the observation of specific commands executed via process creation events on Windows systems.
- Suspicious Malicious C2 Activity of ‘MuddyWater against a Middle East target’ By Detection of PowerShell CommandLine threat hunting Sigma rule by Aung Kyaw Min Naing detects the malicious powershell execution by MuddyWater against a Middle East target to abuse AutodialDLL registry key and loads DLL for C2 framework.
- Highly Possible Exploitation Command Injection Attacks By Using Rust Vulnerability (CVE-2024-24576) threat hunting rule by Emir Erdogan detects Windows command injection attacks via rust programming language with the help of process_creation logs.
- Suspicious XWorm Persistence Activity by Detection of Associated Commands (via process_creation) threat hunting Sigma rule by Davut Selcuk aims to detect suspicious persistence activities associated with the XWorm malware. The rule identifies potential instances where XWorm establishes persistence on the system using schtasks.exe.
- Possible Forest Blizzard Persistence by Adding Registry to Deploy DLL File through Windows Service (via registry_event) threat hunting Sigma rule by Nattatorn Chuensangarun detects suspicious Forest Blizzard activity by adding a registry key to execute malicious Dll file through Windows services.
Top Authors
Detection rules by the following members of the Threat Bounty Program were the most referred to by active users who rely on the SOC Prime Platform to enhance security operations in their organizations:
We are happy to announce that the following authors received recognition badges for their active contributions to the SOC Prime Platform this year:
Sittikorn Sangrattanapitak and Mehmet Kadir CIRIK – for achieving the milestone of 10 successful publications this year
Davut Selcuk – for achieving 50 successful publications of detection rules to the SOC Prime Platform in 2024.
Upcoming changes
We are looking forward to introducing a new flow for Threat Bounty Program members to create and manage their Threat Bounty rules via Uncoder AI. The upcoming release will entirely substitute the Developer Portal and Sigma Rules Bot for Threat Bounty, and Uncoder AI will be used as one IDE and content submission management tool for Threat Bounty Program members.
We will additionally inform the Threat Bounty members about the details of the upcoming changes on Discord, via the Developer Portal before its EOL, and via email. Stay tuned to announcements and newsletters about the Threat Bounty Program!