SOC Prime Threat Bounty Digest — November 2024 Results
Table of contents:
Welcome to the new Threat Bounty monthly digest edition and learn about the November results and updates.
First and foremost, a huge thank you to all the dedicated members of the Threat Bounty Program. In total, 80 detection rules were released on the Threat Detection Marketplace, providing valuable opportunities for detecting emerging cyber threats and giving the Program members a chance to improve and monetize their expertise.
However, this month, the acceptance rate for submitted content remains lower than expected, highlighting the ongoing challenges with adhering to our guidelines and recommendations. It is important to understand that this has led to decreased interest in Threat Bounty rules overall and fewer rewards for contributors. These approaches to content submissions continue to impact content verification and release times, as well as the motivation of program members who prioritize content and research quality over quantity of submissions.
To address the current rejection rates and submissions that don’t meet Program standards and thus cannot be published, we are exploring several improvements to the Threat Bounty Program. These adjustments will help maintain the high standards of detection rules on the Threat Detection Marketplace and ensure that contributors are appropriately rewarded for their valuable work. We will keep you updated on any changes to the Threat Bounty Program and appreciate your continued commitment to enhancing the quality of content.
We encourage the authors to closely follow our guidance to ensure that their submitted detections align with the program standards, including the quality requirements and guidelines for the rule’s titles, and meet the expectations for the premium content on the SOC Prime Platform.
What Detection Rules were Popular in November?
Here are five detection rules by Threat Bounty authors that were most popular among organizations that use the SOC Prime Platform to enhance their security operations:
Possible Detection of VEILDrive Malware’s Registry Modifications for Persistence and C2 Communication through Microsoft Services (via registry_event) by Davut Selcuk detects persistence mechanisms used by VEILDrive malware by monitoring registry modifications under Windows Run keys.
Possible Midnight Blizzard SpearPhishing Campaign(via file_event) by Joseph Kamau detects Possible SpearPhishing attachment execution that is linked to Midnight Blizzard threat actor in the month of October 2024, according to Microsoft Threat Intelligence.
PowerShell Removed Network Share Detects (via ps_script) by Onur Atali detects the removal of a mounted network share via PowerShell. Attackers may delete shared connections to eliminate traces of their activity and limit post-operation visibility.
Possible Detection of EDR Evasion with Suspicious Registry Modifications Targeting Firewall Rules to Block EDR Communications and Enable Stealth (via registry_event) by Davut Selcuk identifies potentially malicious registry modifications aimed at evading Endpoint Detection and Response systems by blocking EDR network communication.
Possible Scattered Spider x RansomHub Execution by Invoking Bat File to Shutdown VM through VMware Tools (via process_creation) by Nattatorn Chuensangarun rule detects suspicious Scattered Spider x RansomHub activity of executing malicious .bat file to shutdown VM through vmtoolsd process.
TOP Content Authors
Here are top 5 Threat Bounty authors whose detections were most popular among clients in November:
Ready to make an impact and monetize your skills? Join the Threat Bounty Program today and contribute your expertise to enhance global cybersecurity. Submit your detection rules, earn rewards, and gain recognition for your valuable work.
