SOC Prime Threat Bounty Digest — March 2024 Results

Alla Yurchenko
Latest posts by Alla Yurchenko (see all)
WRITTEN BY
Alla Yurchenko
[post-views]
April 12, 2024 · 4 min read
March 2024 Results

Threat Bounty Publications

In March 2024, 40 threat detection rules were successfully published to SOC Prime’s Platform via the Threat Bounty Program after the review of our Content Team. Although we observe an overall improvement in the quality of submissions, there are also some typical misconceptions that can be recognized in the approaches to content publication by many authors. Today, we would like to share this information with you, hoping that it will help the Threat Bounty content contributors gain more successful publications.

Detection rules specifically based on the IOCs provided in some blog posts, articles, newsletters, etc., are not the rules that SOC Prime is expecting from Threat Bounty members as a contribution for publication. When it comes to crowdsourced detection engineering, we want to see more Tools content, and detection rules related to correlation aspects of specific behaviors.

For a smooth start with the publications, our team recommends the Program members follow the guidelines outlined in the Threat Bounty FAQ section of SOC Prime’s help center. If you feel that you also need some guidelines with a practical approach, you are welcome to watch SOC Prime’s webinars, especially those focused on Sigma and Threat Hunting, and Threat Bounty Program.

Besides, the upcoming webinar, which was recently announced on SOC Prime’s Discord, will focus on the common struggles of those who just started writing rules for Threat Bounty and provide guidelines to the authors who are interested and motivated to improve their acceptance rate and the average number of successful publications. We are open to questions, suggestions, and stories of personal experience with the Threat Bounty publications – if you have something to share, let us know on Discord. Stay tuned for further updates on the date and time of the webinar.

TOP Threat Bounty Detection Rules

The following rules that were published to the SOC Prime Platform via the Threat Bounty Program gained the most interest among Platform users during March 2024:

  1. Possible Cryptocurrency Miner Deployment with Persistence Commands in ScreenConnect Post-Exploitation(CVE-2024-1709 & CVE-2024-1708) (via process_creation) – Threat Hunting Sigma rule by Davut Selcuk detects potential cryptocurrency miner deployment and persistence commands during post-exploitation activities via ScreenConnect. It can identify specific command sequences involving schtasks.exe creating scheduled tasks containing SentinelUI.exe.
  2. Detection of Suspicious File Creation Linked to APT Group Water Hydra Exploiting Microsoft Defender SmartScreen Zero-Day (CVE-2024-21412) (via file_event) – Threat Hunting Sigma rule by Davut Selcuk detects the creation of suspicious files by the APT group Water Hydra, who exploit the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in campaigns targeting financial market traders.
  3. Suspicious Persistence Activity of TinyTurla Malware By Russian Espionage Group via Associated Commandline (via process_creation) – Threat Hunting Sigma rule by Mustafa Gurkan KARAKAYA detects possible TinyTurla malware persistence activity by creating associated service through adding registry key.
  4. Possible RA World Ransomware Persistence Activity Through Creating Suspicious Service (via security) – Threat Hunting Sigma rule by Mustafa Gurkan KARAKAYA detects possible persistence activity of RA World Ransomware by creating associated service.
  5. Possible Initial Access by Exploitation of Microsoft Outlook Remote Code Execution Vulnerability (MonikerLink) [CVE-2024-21413] – Threat Hunting Sigma rule by Kaan Yeniyol detects possible remote code execution and NTLM credential attacks in Microsoft Outlook (CVE-2024-21413).

Top Authors

While we are still in the process of collecting and validating all the information needed for rewards payouts, I would still like to share the list of top-five Threat Bounty authors of the month. During March, the users of Threat Detection Marketplace referred the most to the detection rules of these five authors, among other authors of Threat Bounty detection rules:

Nattatorn Chuensangarun

Davut Selcuk

Sittikorn Sangrattanapitak

Emre Ay

Mustafa Gurkan KARAKAYA

Besides, earlier this week, five members of the Threat Bounty Program received recognition badges from SOC Prime as proof of their valuable contributions and the achievement of ten successful publications of their threat detection rules in 2024. Find more about the Threat Bounty badges and the recent awards in this article

We invite skilled and motivated people who are interested in developing their detection engineering skills and earning money with their contributions to apply for participation in the Threat Bounty Program!

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.
Join for Free Book a Meeting

Related Posts

UAC-0133 (Sandworm) Reemerges
Blog, Latest Threats — 5 min read
UAC-0133 (Sandworm) Attack Detection: russia-Linked Hackers Aim to Cripple the Information and Communication Systems of 20 Critical Infrastructure Organizations Across Ukraine
Veronika Telychko
UAC-0149
Blog, Latest Threats — 3 min read
UAC-0149 Attacks Ukrainian Defense Forces Using Signal, CVE-2023-38831 Exploits, and COOKBOX Malware
Daryna Olyniychuk
Akira Ransomware Detection
Blog, Latest Threats — 4 min read
Akira Ransomware Detection: Joint Cybersecurity Advisory (CSA) AA24-109A Highlights Attacks Targeting Businesses and Critical Infrastructure in North America, Europe, and Australia
Veronika Telychko