SOC Prime Threat Bounty Digest — September 2023 Results

Meet the new Threat Bounty Program digest that covers the recent news and updates of SOC Prime’s crowdsourced detection engineering initiative.

Threat Bounty Content Submissions

In September, the members of the Threat Bounty Program submitted 629 rules for review by the SOC Prime team before the publication for monetization. After the review and quality assessment, along with numerous iterations for improvements where possible, 90 rules were approved for publication to the SOC Prime Platform.

Explore Detections

To ensure that both Threat Bounty content developers and the global cybersecurity community could drive the most value of the SOC Prime Platform, we have been introducing a set of improvements to the existing workflows and communications for the Threat Bounty Program. For example, to ensure that the how-tos on Threat Bounty content development are known and available to the Program members, we launched a dedicated channel on SOC Prime’s Discord server for knowledge and experience sharing with peers. 

Thus, SOC Prime introduces changes to the current workflows, including communication and supervision by the SOC Prime detection engineering team, rules acceptance, review process, and rewards. Changes introduced are required to ensure the further development of the Threat Bounty Program and its maturity, as well as to align the crowdsourced detection engineering with community needs for proactive threat detection and threat hunting.

TOP Threat Bounty Detection Rules

These are the rules that gained the most attention from the existing Platform clients:

1. Possible Lokibot Targeting Microsoft Office Document Using Known Vulnerabilities by Detection of Associated Commands (via process_creation) – a threat hunting Sigma rule by Emre AY. This rule detects the Lokibot campaign targeting Microsoft Office document using vulnerabilities via associated commands.
2. Possible Steal-It Campaign Activity To Set Environment Variable By Detection of Associated Commandline (via process_creation) – a threat hunting rule by Mustafa Gurkan KARAKAYA. This rule detects possible command execution of a steal-it campaign to set environment variable with a suspicious file location.
3. Suspicious Akira Ransomware Execution by Detection of Associated Parameters (via cmdline) – a threat hunting rule by Osman Demir. This rule detects possible attack campaign, and the malware run with a specific parameter performs ransomware activities.
4. Possible Enumeration Activity of BlackCat Ransomware (aka ALPHV) by Detection of Associated Powershell Command (via ps_script) – threat hunting rule by Mustafa Gurkan KARAKAYA.
5. Possible Enabling Apple Remote Desktop Agent to Perform Remote Code Execution and Lateral Movement by Detection of Associated Command(via process_creation) – threat hunting rule by Emre AY. This rule detects the adversaries that attempt to enable remote desktop management for remote access to the target system for all users with all privileges via executing a kickstart command.

Top Authors

These authors of Threat Bounty detection rules traditionally gained the most interactions with their content by Platform users:

Nattatorn Chuensangarun

Osman Demir

Mustafa Gurkan KARAKAYA

Sittikorn Sangrattanapitak

Emir Erdogan

We encourage enthusiastic developers of SIEM detection rules to join the SOC Prime Threat Bounty Program and contribute to the collective cyber defense while creating a personal portfolio with the market leader and growing professionally in the global cybersecurity community.