SOC Prime Threat Bounty Digest — August 2023 Results
Table of contents:
Threat Bounty monthly digests cover what’s happening in the SOC Prime Threat Bounty community. Each month, we publish the Program news and updates and give recommendations on content improvement based on our observations and analysis during Threat Bounty content verification.
Threat Bounty Content Submissions
During the month of August, the members of the Threat Bounty Program submitted 625 rules for review by the SOC Prime team. Although rules undergo automatic validation by the rule Warden, a thorough examination and validation by the team of experts ensure that only the detections of the best quality are available on the SOC Prime Platform. After the review and suggested improvements, 103 Sigma rules by Threat Bounty members were published to the Threat Detection Marketplace and are available to the Platform users according to their subscription plans.
We are very concerned about the situation that many Threat Bounty developers who have been active Program members for months or even years continue to submit content that doesn’t qualify according to the Program acceptance criteria. For some members, the percentage of successfully published rules is lower than 10% out of submitted. That is why we insist that Threat Bounty Sigma developers, who continuously have most of their content rejected, should regularly review the Threat Bounty guidelines available on the Help Center and watch the SOC Prime webinars on content creation. The SOC Prime team and the professional community are here for you on the SOC Prime’s Discord in case you have any questions.
TOP Threat Bounty Detection Rules
We are delighted to present the top 5 detection rules written by Threat Bounty developers. These rules have proven to address best the security needs of companies leveraging SOC Prime among Threat Bounty content.
- Possible Command Execution of Citrix ADC Zero-Day (CVE-2023-3519) Vulnerability To Extract Information To Suspicious Path (via process_creation) Sigma rule by Mustafa Gurkan KARAKAYA detects possible used commands on exploiting CVE-2023-3519 vulnerability to copy critical information to write suspicious path.
- Possible Rhysida Ransomware (RaaS) Group Targets Latin American Government Institutions with Use of Associated Command Line Parameters (via process_creation) Sigma rule by Mehmet Kadir CIRIK detects suspicious command line parameters used by Rhysida Ransomware.
- Possible Storm-0978 (RomCom) Execution by Leveraging Microsoft Office Zero-day HTML [CVE-2023-36884] Vulnerability through SMB Ports (via network_connection) Sigma rule by Nattatorn Chuensangarun detects suspicious Storm-0978 (RomCom) activity by leveraging Microsoft Office Zero-day HTML Vulnerability (CVE-2023-36884) attack through SMB Ports.
- Possible XWORM Remote Access Trojan Impact And Execution Activities Detected By Associated CommandLine.[via Process_Creation] Sigma rule by Phyo Paing Htun can detect the XWORM remote access trojan impact and execution activities that can abuse the command line to perform a repeated POST request to the provided host and post and also execute shutdown, restart, and logoff process.
- Suspicious Citrix ADC Zero-Day [CVE-2023-3519] Web Shell Detection With Associated Files (via file_event) Sigma rule by Mustafa Gurkan KARAKAYA detects possible web shell files detection dropping to suspicious file path after CVE-2023-3519 vulnerability exploitation.
Top Authors
We would like to recognize and celebrate Sigma developers who have been continuously delivering exceptional insights contributing to the threat detection capabilities of companies that rely on SOC Prime in their day-to-day security operations. In August, the following program members gained the status of top-rated Threat Bounty authors:
Eager to join a crowdsourced detection engineering initiative and monetize your skills? Don’t hesitate to join SOC Prime’s Threat Bounty Program, where you can improve your threat detection & hunting skills and become part of the professional community.
