SOC Prime Threat Bounty — April 2022 Results

Threat Bounty Program

In April, the Threat Bounty Program members contributed to the defense of the global community against the most recent cyber threats. Notably, the keen members of the Threat Bounty community have contributed detections helping to withstand recent FIN7 attacks, the TraderTraitor MalwareQuantum Ransomware, and many others.

Read More Go to Platform

April ‘22 Results

In April 2022, the detection content authors of the Threat Bounty community have successfully published 176 unique detections — 131 basic and 45 advanced rules. The detections published by the Threat Bounty content authors are available to users of the SOC Prime platform based on their current Subscription Plan.  

Each submitted detection goes through validation by the SOC Prime Team. In April, the content experts provided Threat Bounty content authors with 403 recommendations and rejection reasons on major content quality issues such as content duplicates, wrong detection logic, and lack of detection context and metadata.

TOP Authors and Rewards Information

Onur Atali

Emir Erdogan

Furkan Celik

Aytek Aytemur

Sittikorn Sangrattanapitak

The detections on the SOC Prime Platform published in terms of the Threat Bounty Program by these authors gained the most rating in April. 

The average payout is $1,509, which reflects the popularity and the value of the detections published by each author and consumed by the clients of the SOC Prime Platform. 

Top Rated Content

Suspicious regsvr32 execution (via process creation) detection by Onur Atali detects the possible malicious activity of Emotet when it is trying to propagate itself using an excel file and creates a malicious file under the system32 directory by using regsvr32.exe.

Suspicious SharpMove Lateral Movement Tool Execution by Use of Tools Command Arguments (via cmdline) Sigma query by Onur Atali detects malicious SharpMove tool commands.

Suspcious Iranian EvilNominatus Ransomware Behaviour via process_creation Sigma rule by Emir Erdogan detects suspicious behavior of the EvilNominatus ransomware that is considered to be an Iranian Based attacker group, by using process creation logs.

Suspicious Conti Ransomware Group (April 2022) Activity by Detection of Associated Commands on ESXi (via cmdline) Sigma rule by Emir Erdogan detects suspicious behaviors of the Conti ransomware group on ESXİ via command-line arguments.

FIN7 (Financial Threat Group) uses Multiple Tools in its New Campaign (via process_creation) Sigma rule by Aytek Aytemur detects possible activities of the FIN7 who are using TERMITE to load and execute a shellcode stager for Cobalt Strike BEACON.

To have your verified content published to the SOC Prime’s Detection as Code platform and receive recurring rewards for your contributions, join Threat Bounty Program, submit detection content including Sigma and YARA rules, and get them verified by SOC Prime experts!