SOC Prime Threat Bounty Digest — January 2024 Results
Table of contents:
Threat Bounty Content
In January, the members of the Threat Bounty Program were very active in submitting detections for review by SOC Prime’s content verification team. After the verification and examination of the suggested rules, 44 detections were published to the Threat Detection Marketplace, although some rules required minor changes and were returned to the authors for final corrections.
As usual, our team is open to answering questions about the content acceptance criteria on SOC Prime’s Discord server. As the SOC Prime Platform evolves, the content acceptance criteria also change, and it is essential that all authors, regardless of their experience with Threat Bounty publications, understand what detection code is accepted for publication. This can help content authors invest their time in the research and development of Threat Bounty rules more reasonably and efficiently.
TOP Threat Bounty Detection Rules
These five detections published in terms of the Threat Bounty Program were the most popular amongst the organizations leveraging the SOC Prime Platform to enhance their security operations:
Suspicious Ivanti Pulse Connect Secure Authentication Bypass Vulnerability [CVE-2023-46805] Exploitation Attempt (via proxy) – a threat hunting Sigma rule by Mustafa Gurkan KARAKAYA detects possible Ivanti authentication bypass vulnerability [CVE-2023-46805] exploitation attempt via associated request.
Event log cleared using Diagnostics (via PowerShell) – threat hunting SIgma rule by Michel de Crevoisier. This rule detects scenarios where an attacker attempts to clear the event logs.
Possible Initial Access by Exploitation of Ivanti Connect Secure VPN Remote Code Execution Vulnerability [CVE-2024-21887] (via webserver) – threat hunting Sigma rule by Kaan Yeniyol. This rule detects a command injection vulnerability in the web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x), allowing an authenticated administrator to send specially crafted requests and execute arbitrary commands on the device.
Suspicious DLL Load Without Passing Any Paramater by Manipulating RegSvr’s AutoRegister Feature (via process_creation) – detection by Mustafa Gurkan KARAKAYA. This rule detects possible registry key-adding activity to manipulate regsvr’s autoregister feature.
Detect Ransomware Distribution via TeamViewer (via cmdline) – the threat hunting rule by Furkan Celik detects possible initial ransomware distribution, which is initiated with a .bat extension file that is run from the user’s desktop. Then the rundll32 process is used with the .bat extension file.
Top Authors
Threat Bounty rules by these five authors were the most popular among the Threat Detection Marketplace users:
Nattatorn Chuensangarun – 112 detections were used by organizations who use SOC Prime, including 6 rules published during the previous month.
Osman Demir – 80 detections of this author were used by the SOC Prime clients. All the detections were published earlier.
Davut Selcuk – 27 rules by this author, including 12 recently released detections, were used via Threat Detection Marketplace by SOC Prime users.
Mustafa Gurkan KARAKAYA – 50 rules, including eight recently published detections, helped organizations leveraging SOC Prime enhance their threat detection capabilities.
Sittikorn Sangrattanapitak – 90 detection rules, including one recently published detection, were used by the organizations using SOC Prime.
Also, we would like to mention the authors whose detections on the Threat Detection Marketplace demonstrate the best view/download ratio, meaning that detections are downloaded or deployed by SOC Prime clients after viewing the code:
Contribute to the collective cyber defense with your own detection rules via Threat Bounty Program, and get rewarded for your impact.