SOC Prime Threat Bounty Digest — February  2024 Results

[post-views]
March 13, 2024 · 4 min read
SOC Prime Threat Bounty Digest — February  2024 Results

Threat Bounty Publications

In February, the members of the Threat Bounty program submitted more than 350 detections for review by the SOC Prime Team. After the review by the content verification team, 70 rules were successfully published on the SOC Prime Platform. During the verification, the SOC Prime Team provided more than 400 content rejection explanations and recommendations for rule improvements where it was possible. It is important for the authors to understand that all the rules are reviewed one by one, starting from the rules that were received for review earlier, and any changes to the rule, including corrections, automatically start a new iteration of rule verification.

Explore Detections

We were happy to talk with Threat Bounty member Phyo Paing Htun which resulted in an insightful interview on the SOC Prime Blog, and a short video where Phyo Paing Htun shares his experience and approaches to creating rules for Threat Bounty publication.

Threat Bounty News

We are excited to announce the upcoming introduction of digital credentials by the SOC Prime Threat Bounty Program with Credly by Pearson. The digital credentials represent a significant step forward in acknowledging the dedication and expertise of the members of the Threat Bounty community, providing them with a tangible symbol of their achievements since the launch of the Threat Bounty initiative, as well as recognition of their current achievements. Stay tuned as we embark on this journey to celebrate and empower the authors of detection rules within the Threat Bounty Program.

TOP Threat Bounty Detection Rules

The following five detection rules were the most demanded among the organizations leveraging the SOC Prime Platform to enhance their threat detection capabilities:

Possible Exploitation (CVE-2023-46805 / CVE-2024-21887) of Ivanti Connect Secure Auth Bypass and Command Injection Vulnerabilities (via webserver) – threat hunting Sigma rule by Davut Selcuk that detects potential exploitation of Ivanti Connect Secure vulnerabilities (CVE-2023-46805 and CVE-2024-21887) related to authentication bypass and command injection. 

Possible Initial Access by Exploitation of Microsoft Outlook Remote Code Execution Vulnerability (MonikerLink) [CVE-2024-21413] – threat hunting rule by Kaan Yeniyol that detects remote code execution and NTLM credential attacks in Microsoft Outlook (CVE-2024-21413). This vulnerability can lead to local NTLM credential leakage and code execution when attackers open emails containing malicious links.

Suspicious Ivanti Pulse Connect Secure Authentication Bypass Vulnerability [CVE-2023-46805] Exploitation Attempt (via proxy) – threat hunting Sigma rule by Mustafa Gurkan KARAKAYA detects possible Ivanti authentication bypass vulnerability [CVE-2023-46805] exploitation attempt via associated request.

Possible Initial Access by Exploitation of Ivanti Connect Secure VPN Remote Code Execution Vulnerability [CVE-2024-21887] (via webserver) – threat hunting rule by Kaan Yeniyol that detects a command injection vulnerability in the web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x), allowing an authenticated administrator to send specially crafted requests and execute arbitrary commands on the device.

Possible Privilege Escalation via TrustedInstaller for Lsass Dump by Detection of Associated Commands (via process_creation) – threat hunting Sigma rule by Davut Selcuk that identifies potential privilege escalation attempts by detecting activities related to the disabling of SeDebugPrivilege. It specifically focuses on techniques that leverage the TrustedInstaller account to bypass privilege restrictions, allowing the dumping of memory using tools like ProcDump for lsass.exe.

Top Authors

Threat Bounty detection rules by these authors were mostly interesting and useful for the companies that use the SOC Prime Platform for their daily security operations: 

Davut Selcuk – he published 25 new rules in February, and a total of 58 of his detections, including the rules that were published previously, were used by SOC Prime client companies.

Emre Ay published 12 new rules, and companies on the SOC Prime Platform downloaded a total of 38 of his detections. 

Sittikorn Sangrattanapitak – 58 unique rules, including 6 rules published during February, were downloaded. 

Nattatorn Chuensangarun – 45 detections, including 4 rules that were published in February, were downloaded by companies via the SOC Prime Platform. 

Osman Demir – 40 detection rules, including one rule published in February, were downloaded, and the results were included in the Threat Bounty February results. 

Don’t hesitate to join the Threat Bounty Program and contribute to the collective detection engineering initiative that enables companies worldwide to withstand emerging threats, and keep your focus on detection engineering for real cases addressing the actual demand of organizations worldwide. 

 

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts