Threat Bounty Program Digest — May 2024 Results

Alla Yurchenko
Latest posts by Alla Yurchenko (see all)
WRITTEN BY
Alla Yurchenko
[post-views]
June 07, 2024 · 4 min read
May 2024 Results

Publications

In May, our content verification team received more than 300 submissions for review. After the review, and in some cases, repeated revisions with minor corrections to the code, 59 new unique threat detection rules by Threat Bounty Program content authors were successfully published on the Threat Detection Marketplace

Explore Detections

The submissions that were declined did not meet the acceptance criteria for publication. We want to remind all members of the Threat Bounty Program who plan to have their content published on the SOC Prime Platform for monetization to consider the content requirements when creating and submitting your Threat Bounty rules. 

Detection rules that can not be effectively used for behavioral threat detection in real-world conditions in the production environments of enterprises are not accepted for publication by SOC Prime. To keep the level of professionalism of our active Threat Bounty authors aligned with the actual demand for actionable behavioral threat detection algorithms, we speak about our standards and technologies on SOC Prime’s webinars and workshops and recommend following our activities to stay in the know and develop your professional skills and interests accordingly. 

TOP Threat Bounty Detection Rules

These five detection rules published by members of the Threat Bounty Program demonstrated the best match for the demand of the organizations who use the SOC Prime Platform for enhancing their security operations:

Suspicious IcedID(aka Latrodectus [IceNova]) Malware Execution Activity by Detection of Associated Commands (via process_creation) – threat hunting Sigma rule by Davut Selcuk aims to identify suspicious execution activities related to the IcedID(aka Latrodectus [IceNova]) malware by monitoring process creation events.

Possible ShrinkLocker Ransomware Activity to Abuse Microsoft Bitlocker via Modifying Associated Registry Key (via registry_event) – the threat hunting Sigma rule by Emre Ay detects the Shrinklocker ransomware behavior that attempts to modify a registry value, which allows it to abuse Microsoft Bitlocker.

Suspicious Latrodectus (IceNova) Malware Execution Activity Detected by rundll32.exe (via process_creation) – threat hunting Sigma rule by Davut Selcuk that detects suspicious execution activities associated with the Latrodectus (IceNova) malware leveraging rundll32.exe for execution.

Possible Registry Key Modification Activity of ShrinkLocker Ransomware to Abuse Bitlocker (via registry_event ) – threat hunting Sigma rule by Emre Ay detects the suspicious modification of associated registry key performed by ShrinkLocker ransomware to abuse BitLocker-related registry value.

Suspicious Malicious C2 Activity of ‘MuddyWater against a Middle East target’ By Detection of PowerShell CommandLine – threat hunting Sigma rule by Aung Kyaw Min Naing. This rule detects malicious powershell execution by MuddyWater against a Middle East target to abuse the AutodialDLL registry key and loads DLL for the C2 framework.

Top Authors

The following contributors of crowdsourced threat detection rules to the Threat Bounty Program achieved the highest rating positions by their contributions, based on how their Threat Bounty detections were used by organizations via the SOC Prime Platform:

Davut Selcuk

Nattatorn Chuensangarun

Emir Erdogan

Sittikorn Sangrattanapitak

Osman Demir

Two authors of Threat Bounty detection rules, Joseph Kamau and Bogac Kaya, achieved the milestone of 10 successful publications this year and are recognized as Trusted SOC Prime Contributors. 

Upcoming changes

The changes to the Threat Bounty Program tools that were described in the previous Monthly digests are going live soon. Namely, members of the Threat Bounty Program will begin using Uncoder AI for their Threat Bounty publications and progress tracking. The Developer Portal, as well as the Sigma Rules Slack Bot, will no longer be supported and will not be used for the Threat Bounty Program. The user guidelines will be available on SOC Prime’s Help Center, and program members will be able to try out the new tool for submitting their detections after the Uncoder AI is ready for use for Threat Bounty rules. Stay tuned to our upcoming announcements about the Threat Bounty Program!

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.
Join for Free Book a Meeting

Related Posts

Blog, Latest Threats — 3 min read
Volcano Demon Ransomware Attack Detection: Adversaries Apply a New LukaLocker Malware Demanding Ransom via Phone Calls
Daryna Olyniychuk
Kimsuky APT on the Rise
Blog, Latest Threats — 3 min read
Kimsuky APT Attack Detection: North Korean Hackers Abuse the TRANSLATEXT Chrome Extension to Steal Sensitive Data
Veronika Telychko
CVE-2024-5806 Detection
Blog, Latest Threats — 3 min read
CVE-2024-5806 Detection: A New Authentication Bypass Vulnerability in Progress MOVEit Transfer Under Active Exploitation
Veronika Telychko