SOC Prime Threat Bounty Digest — June 2024 Results
Table of contents:
Detection Content Submission & Release
In June, SOC Prime’s Threat Bounty Program members started using Uncoder AI to create, validate, and submit rules for review before the release on the SOC Prime Platform. We are happy to provide authors with the tool that assists them in creating high-quality detection rules for Threat Bounty and supports their professional advancement. Our team is committed to equipping detection engineers, DFIR specialists, and SOC analysts with the best technologies to boost their technical and analytical skills, overcome real-world challenges, and align their professional backgrounds with the industry’s needs while rewarding authors actively participating in SOC Prime’s crowdsourced detection engineering initiative. Find out more about the evolution of the Threat Bounty Program in this article.
In June, the program members successfully published 24 new unique Threat Bounty detection rules capable of identifying malicious behaviors. With the help of built-in validation, content authors enhanced their understanding of Sigma syntax, which helped them avoid common mistakes in the future. The verification team observes the constant improvement in submitted rules to meet the acceptance criteria for Threat Bounty submissions.
The feedback provided by SOC Prime’s team during the content verification process helped to align further efforts spent on research and rule creation with the need for actionable content to detect malicious behaviors. The verification team has received more rules that meet Threat Bounty acceptance criteria.
The Uncoder AI functionalities, including a private content repository within the SOC Prime Platform, are available to all Threat Bounty Program members, and we encourage them to actively use the tool for personal and professional development and for working with various types of content and formats. However, we still only accept detection rules that meet the Program requirements, so we recommend that authors who want to monetize their detection rules follow the requirements each time they want to have their rule published for monetization on the SOC Prime Platform.
TOP Threat Bounty Detection Rules
The following Threat Bounty detections were the most referred to by the companies leveraging SOC Prime:
Possible Detection Black Basta Exploit Tool Using Windows Privilege Escalation Vulnerability for Persistence (CVE-2024-26169) (via registry_set) – threat hunting Sigma rule by Davut Selcuk that detects the use of an exploit tool associated with the Black Basta ransomware group, which leverages a Windows privilege escalation vulnerability (CVE-2024-26169) in the Windows Error Reporting Service to gain persistence. The Cardinal cybercrime group (aka Storm-1811, UNC4393) has been linked to exploiting this vulnerability as a zero-day. The exploit tool exploits the fact that the Windows file werkernel.sys uses a null security descriptor when creating registry keys.
Possible Detection of WARMCOOKIE Backdoor Execution Linked to Suspicious rundll32.exe Execution Associated Commands (via process_creation) – threat hunting Sigma rule by Davut Selcuk that helps to detect suspicious execution of rundll32.exe that are associated with the WARMCOOKIE backdoor. WARMCOOKIE is a backdoor used by threat actors to infiltrate and compromise systems, commonly delivered via phishing campaigns with recruiting themes. It employs rundll32.exe for executing malicious payloads stored in temporary directories, aiming for persistence and remote control.
Possible ShrinkLocker Ransomware Activity to Abuse Microsoft Bitlocker via Modifying Associated Registry Key (via registry_event) – the threat hunting Sigma rule by Emre Ay detects the Shrinklocker ransomware behavior that attempts to modify a registry value, which allows it to abuse Microsoft Bitlocker.
SolarWinds Serv-U-FTP Directory Traversal Vulnerability (CVE-2024-28995) – threat hunting Sigma rule by Emir Erdogan. This rule identifies exploitation attempts of SolarWinds Serv-U-FTP Directory Traversal Vulnerability by the help of webserver logs.
Suspicious Command Execution of STOP Ransomware by Detection of Associated Commandline ( via process_creation) – threat hunting Sigma rule by Emre Ay detects suspicious commands related with STOP/DJVU Ransomware that aim to start its malicious activity via using associated commands.
Top Authors
Threat Bounty detection rules by these authors were the most popular on the Platform in July:
Moreover, Emir Erdogan received a digital badge as a Trusted Contributor in recognition of his contribution to the SOC Prime Platform this year.
If you would like to follow the success of the authors whom SOC Prime regularly recognizes for their submissions, please read the insightful interview with Kyaw Pyiyt Htet acknowledged as one of the Top 20 SOC Prime contributors.
Uplift your skills using Uncoder AI as your IDE for detection engineering, and monetize your skills by publications to the SOC Prime Platform with the Threat Bounty Program.