SOC Prime Threat Bounty Digest — October 2023 Results

[post-views]
November 15, 2023 · 3 min read
SOC Prime Threat Bounty Digest — October 2023 Results

Discover what’s new in SOC Prime’s Threat Bounty program and the October results. 

Threat Bounty Content Submissions

We are happy that the authors of the Threat Bounty rules invest their time in validating their detections with Warden and researching for existing detections, which helps them avoid duplicates while creating and submitting rules for monetization. In October, the SOC Prime’s team received 477 rules for verification before publication to the SOC Prime Platform. After the standard validation and assessment, 90 rules were approved for publication.

Explore Detections

Threat Bounty Program welcomes new enthusiastic content authors these days, and we invite all of them to join SOC Prime’s Discord server and the dedicated private channels for Threat Bounty discussions. Besides, to ensure all new members are aware of the content acceptance criteria and SOC Prime’s standards, we encourage all authors to watch SOC Prime’s webinars and read our blog

TOP Threat Bounty Detection Rules

These detections submitted by Threat Boutny members were the most demanded by organizations leveraging the SOC Prime Platform:

  1. Suspicious Modification of Registry Key for HTTP/2 Rapid Reset Attack (CVE-2023-44487) Detection (via registry_event) threat hunting Sigma rule by Davut Selcuk detects potential HTTP/2 Rapid Reset Attack activity related to CVE-2023-44487.
  2. Possible CVE-2023-42793 (Authentication Bypass Leading to RCE on JetBrains TeamCity Server) Exploitation Attempt (via proxy) threat hunting Sigma rule by Aykut Gürses identifies possible CVE-2023-42793 exploitation attempt (Authentication Bypass Leading to RCE on JetBrains TeamCity Server), which may be a part of TeamCity RCE chain. Based on publically available POC.
  3. Possible CVE-2023-40044 (Critical Pre-Auth RCE Flaws in WS_FTP Server) Exploitation Attempt (via proxy) threat hunting Sigma rule by Aykut Gürses is based on publically available POC and identifies possible CVE-2023-40044 exploitation attempts (Critical Pre-Auth RCE Flaws in WS_FTP Server), which may be a part of TeamCity RCE chain. 
  4. Suspicious Enumeration Activity To Find User Enabled With Allow Reversible Password Encryption Associated Powershell Command (via ps_script) threat hunting Sigma rule by Mustafa Gurkan KARAKAYA detects possible enumeration activity to discover user enabled reversible password encryption feature on Active Directory. Attackers may attempt to identify users with this feature and try to obtain their password information in plaintext.
  5. Possible CVE-2023-40044 WS_FTP and Ad Hoc Transfer IIS Module Exploitation Attempt (via web server) threat hunting Sigma rule by Sittikorn Sangrattanapitak detects potential exploitation attempts against Remote Code Execution (RCE) vulnerability (CVE-2023-40044) in WS_FTP.

Top Authors

Based on how SOC Prime Platform’s users leveraged the detection content available on the Platform, the detections by these authors were the most demanded:

Sittikorn Sangrattanapitak

Nattatorn Chuensangarun

Osman Demir

Mustafa Gurkan KARAKAYA

Emir Erdogan

Are you curious about publishing your own detections on the SOC Prime Platform? Join the Threat Bounty Program and help companies worldwide withstand cyber threats.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts