SOC Prime Threat Bounty Digest — September 2024 Results
Table of contents:
Detection Content Creation, Submission & Release
In September, the Threat Bounty Program experienced significant growth, with more submissions of detection rules for verification and a higher number of successful releases of the Threat Bounty rules to the SOC Prime Platform. We remain committed to ensuring that all members of the Threat Bounty Program make the most of their access to the Uncoder AI to monetize their detection engineering skills with SOC Prime.
While we appreciate the efforts of all the authors of the threat detection rules, it’s important to emphasize that only rules that pass the verification can be published. We acknowledge that some Program members may find it a bit challenging to adapt their experience with SIEM-specific queries to detection rules that would satisfy our requirements, such as complex detection logic and focus on the indicators of attack, not the low-level indicators of compromise. However, this challenge boosts the professional advancement of the Threat Bounty Program members and enhances the effectiveness of our collective threat detection efforts.
As the Threat Bounty Program continues to grow, we are excited to recognize the Program members who skillfully utilize Uncoder AI. These individuals are not only enhancing their own capabilities but also setting themselves apart in the job market, demonstrating proficiency in utilizing the technology and methodology that make detection engineering more efficient.
TOP September Rules by Threat Bounty Authors
Detection of Common RAT (Remote Administration Tools) Execution—Sigma rule by Emanuele De Lucia. This rule detects the execution of the most popular RATs (via process_creation).
Possible Hadooken Malware Execution by Dropping Payload to Deploy Cryptominer Malware Targets Weblogic Applications [Linux] (via file_event) by Nattatorn Chuensangarun. This Sigma rule detects suspicious Hadooken Malware activity by deploying a malicious elf payload to deploy Cryptominer malware.
Suspicious Microsoft IIS(Internet Information Services) configuration linked to SEO Manipulation Campaign—Threat Bounty Sigma rule by Joseph Kamau. This rule detects changes to a configuration setting on II, which allows successful deployment of BadIIS malware on a compromised IIS server due to the malware’s shortcomings (it cannot compress the output of the scripts), as seen in the DragonRank SEO campaign.
Detection of Signed Binary Proxy Execution Linked to Latrodectus Malware (via CmdLine)—threat hunting Sigma rule by Kyaw Pyiyt Htet. The rule detects the execution of a signed binary proxy associated with Latrodectus malware, which is commonly distributed through email spam campaigns.
Suspicious SChannel Weak Certificate Mapping Methods Setting (via registry event)—threat hunting Sigma rule by Sittikorn Sangrattanapitak. According to the author, this rule detects weak certificate mapping method settings via registry changes. When a server application requires client authentication, SChannel automatically attempts to map the client’s certificate to a corresponding user account. This allows user authentication through client certificates by creating mappings that link the certificate information to a Windows user account.
Threat Bounty Auhors: September TOP 5
In the September highlights, we proudly recognize the top five Threat Bounty Program members whose contributions to the SOC Prime Platform have demonstrated exceptional performance. Their detection rules not only stand out for their quality but also reflect the trust placed in the crowdsourced detection engineers by the organizations leveraging the SOC Prime Platform.
Nattatorn Chuensangarun who has also achieved the milestone of 50 released rules in 2024 and received a digital credential as an Excellent Contributor
We encourage all members of the Threat Bounty Program to continue refining their detection rules and engaging with the community on SOC Prime’s Discord server. Your contributions and skill advancement are vital to enhancing our collective cyber defense efforts. Stay tuned for more updates and opportunities in the Threat Bounty Program, and remember, every rule you create is a step toward your excellence.