SOC Prime Threat Bounty Digest — August 2024 Results
Table of contents:
Detection Content Creation, Submission & Release
August 2024 was challenging for the global cyber community, but it was also full of opportunities for SOC Prime’s Threat Bounty members to gain personal recognition and cash for their contributions. During August, 22 detections were successfully released to the SOC Prime Platform, and twice as many detections were returned to the authors for improvements with the recommendations to enhance certain aspects of the detection logic.
SOC Prime incentivizes the most talented and motivated authors and publishes only detections that comply with the Program acceptance criteria and demonstrate the author’s outstanding detection engineering skills. With Uncoder AI, keen cyber security practitioners can gain a lot of practical experience and improve their professional skills and performance by adopting emerging technologies into their daily routines.
Top Threat Bounty Detection Rules
These five rules contributed via the Threat Bounty Program gained the most interest from companies who rely on SOC Prime for enhancing their cyber security operations:
Suspicious Powershell Execution For Async RAT by Detection of Associated Commands (via powershell) – threat hunting Sigma rule by Osman Demir.
Possible Ivanti Authentication Bypass (CVE-2024-7593) Exploitation Attempt (via webserver) – threat hunting rule by Wirapong Petshagun. This rule detects URL patterns used to exploit authentication bypass vulnerability in Ivanti (CVE-2024-7593). Successful exploitation could lead to an authentication bypass and the creation of an administrator user.
Possible Detection of Specula Tool Exploiting Microsoft Outlook for Post-Exploitation Remote Code Execution via Registry Modifications (via registry_event) – threat hunting Sigma rule by Davut Selcuk detects potential post-exploitation activities using the Specula tool, which exploits Microsoft Outlook for remote code execution by modifying registry settings. Specula can transform Outlook into a command and control (C2) beacon, enabling attackers to execute malicious code remotely.
Possible China-Nexus Threat Group (Velvet Ant) Execution by Abusing F5 Load Balancers to Deploy PlugX Malware (via file_event) – threat hunting rule by Nattatorn Chuensangarun. With this rule, users of the SOC Prime Platform can detect suspicious activity associated with the China-Nexus Threat Group ‘Velvet Ant’ activity.
Possible UNC4393 Persistence by Modifying Registry to Execute BASTA Ransomware through Skype Service (via registry activity) – threat hunting rule by Nattatorn Chuensangarun. This rule detects suspicious UNC4393 activity when the threat actor modifies the registry key to launch a malicious binary payload for deploying BASTA ransomware through Skype.
Top Authors
Detections of the following five authors gained the most attention from the cybersecurity specialists who rely on the SOC Prime Platform for enhancing the cybersecurity of their organizations:
We are happy to announce that in August, Aung Kyaw Min Naing reached the milestone of 10 successful contributions in 2024 and received a digital badge as a Trusted Contributor to the SOC Prime Platform.
In September, we expect to release multiple badges to the active members of the Threat Bounty Program to recognize and acknowledge their skills in leveraging multiple functionalities of Uncoder AI for detection engineering. We are happy that Threat Bounty members find Uncoder AI helpful for achieving results within the Threat Bounty Program and also leverage the tool as a coach for expanding their expertise in the field.
Looking for an opportunity to refresh your detection engineering skills with AI-assisted technology and become part of the collective cyber defense? Start with the Threat Bounty Program today.
