SOC Prime Threat Bounty Digest — December 2023 Results
Table of contents:
Threat Bounty Content Acceptance
Since the launch of the Threat Bounty Program, SOC Prime has been providing skilled and enthusiastic detection engineers to align their skills with the actual and real-time demand for threat detection content. During the year 2023, we continued to align the efforts of the Threat Bounty members with the Platform evolution, which resulted in some changes to the content acceptance criteria. Namely, we strictly follow the content verification procedures and publication guidelines for the rules that are based on the low-level IOCs, rules that are designed to trigger alerts based on alerts of other security solutions, and rules that have limited applicability or adaptability — which is referred to as a “low resilience for long-term use on the SOC Prime Platform.” At SOC Prime, we are confident that this collective effort and the feedback sharing encourage the development of professional skills that are vital in the cybersecurity industry these days.
We hope that all members of the Threat Bounty Program take into account the content acceptance rules and pay attention to general recommendations that they receive in regard to content improvements or as a reason for rejection of publication.
TOP Threat Bounty Detection Rules of the Month
The following detections by Threat Bounty developers on the SOC Prime Platform were the most popular:
Possible Persistence Detection by North Korean APT38/Lazarus Group via Detection of Associated Command Line Parameters (via process_creation) – threat hunting rule by Davut Selcuk that identifies potential indicators of persistence by the North Korean APT38/Lazarus Group, leveraging the detection of associated command line parameters.
Possible Executing Malicious VBA Code into Excel or Word Documents by Detection of Associated Commands (via ps_script) – threat hunting rule by Emre Ay that detects the threat actors that attempt to execute malicious vba code into Excel or Word documents by using suspicious powershell commands.
Suspicious Registry Key Change of DarkGate Malware Activity (via registry_event) – threat hunting rule by Davut Selcuk that detects changes to registry keys associated with DarkGate.
Possible Agent Racoon Malware Execution by Using PowerShell Plug-Ins to Dump Emails in MS Exchange Environments with PowerShell Script Block – threat hunting rule by Nattatorn Chuensangarun detects suspicious Agent Racoon malware activity using the PowerShell plugin to execute malicious pst files within the IIS system directory (inetsrv) for email dumps in MS Exchange environments.
Possible Ransomware Threat Activity ESXi All VMs and Delete Their Snapshots via VIM-CMD – threat hunting rule by Kaan Yeniyol detects the deletion of snapshots and virtual machines on ESXi devices using the VMSVC command. Ransomware groups, upon compromising ESXi systems, delete snapshots associated with devices and encrypt files.
Top Authors of the Month
Although sometimes Threat Bounty members cease their activities with the Program and no longer have the privileges as active Threat Boutny authors, their detections still enable the enterprises leveraging SOC Prime to withstand cyber threats:
The following authors have demonstrated an outstanding contribution with their detection content that passed the quality verification of the SOC Prime Team:
Stay tuned to the news, updates, and community discussions to be among the first to learn about the upcoming changes to the Threat Bounty Program, and don’t hesitate to enable companies worldwide to defend against emerging threats with your Threat Bounty detections powered by SOC Prime’s innovations.
