SOC Prime Threat Bounty Digest — January 2024 Results

[post-views]
February 19, 2024 · 3 min read
SOC Prime Threat Bounty Digest — January 2024 Results

Threat Bounty Content

In January, the members of the Threat Bounty Program were very active in submitting detections for review by SOC Prime’s content verification team. After the verification and examination of the suggested rules, 44 detections were published to the Threat Detection Marketplace, although some rules required minor changes and were returned to the authors for final corrections.

Explore Detections

As usual, our team is open to answering questions about the content acceptance criteria on SOC Prime’s Discord server. As the SOC Prime Platform evolves, the content acceptance criteria also change, and it is essential that all authors, regardless of their experience with Threat Bounty publications, understand what detection code is accepted for publication. This can help content authors invest their time in the research and development of Threat Bounty rules more reasonably and efficiently.

TOP Threat Bounty Detection Rules

These five detections published in terms of the Threat Bounty Program were the most popular amongst the organizations leveraging the SOC Prime Platform to enhance their security operations:

Suspicious Ivanti Pulse Connect Secure Authentication Bypass Vulnerability [CVE-2023-46805] Exploitation Attempt (via proxy) – a threat hunting Sigma rule by Mustafa Gurkan KARAKAYA detects possible Ivanti authentication bypass vulnerability [CVE-2023-46805] exploitation attempt via associated request.

Event log cleared using Diagnostics (via PowerShell) – threat hunting SIgma rule by Michel de Crevoisier. This rule detects scenarios where an attacker attempts to clear the event logs. 

Possible Initial Access by Exploitation of Ivanti Connect Secure VPN Remote Code Execution Vulnerability [CVE-2024-21887] (via webserver) – threat hunting Sigma rule by Kaan Yeniyol. This rule detects a command injection vulnerability in the web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x), allowing an authenticated administrator to send specially crafted requests and execute arbitrary commands on the device.

Suspicious DLL Load Without Passing Any Paramater by Manipulating RegSvr’s AutoRegister Feature (via process_creation) – detection by Mustafa Gurkan KARAKAYA. This rule detects possible registry key-adding activity to manipulate regsvr’s autoregister feature.

Detect Ransomware Distribution via TeamViewer (via cmdline) – the threat hunting rule by Furkan Celik detects possible initial ransomware distribution, which is initiated with a .bat extension file that is run from the user’s desktop. Then the rundll32 process is used with the .bat extension file.

Top Authors

Threat Bounty rules by these five authors were the most popular among the Threat Detection Marketplace users:

Nattatorn Chuensangarun 112 detections were used by organizations who use SOC Prime, including 6 rules published during the previous month.

Osman Demir – 80 detections of this author were used by the SOC Prime clients. All the detections were published earlier. 

Davut Selcuk – 27 rules by this author, including 12 recently released detections, were used via Threat Detection Marketplace by SOC Prime users. 

Mustafa Gurkan KARAKAYA – 50 rules, including eight recently published detections, helped organizations leveraging SOC Prime enhance their threat detection capabilities.

Sittikorn Sangrattanapitak – 90 detection rules, including one recently published detection, were used by the organizations using SOC Prime. 

Also, we would like to mention the authors whose detections on the Threat Detection Marketplace demonstrate the best view/download ratio, meaning that detections are downloaded or deployed by SOC Prime clients after viewing the code:

Emre Ay

Kyaw Pyiyt Htet

Joseph Kamau

Michel Crevoisier

Aung Kyaw Min Naing

Contribute to the collective cyber defense with your own detection rules via Threat Bounty Program, and get rewarded for your impact.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts