SOC Prime Threat Bounty —  April 2023 Results

Threat Bounty April results

Threat Bounty Publications

In April, the active members of the SOC Prime Threat Bounty community submitted 430 detection rules for review by the SOC Prime team for verification and to earn a chance to monetize their content. However, only 64 rules passed validation and were successfully published to the SOC Prime Platform.

Explore Detections

We understand that the number of rejected content is frustrating for many of our experienced content creators, and we are seeking ways to address the related challenges by keeping the developers up-to-date regarding the content acceptance criteria, industry best practices, and opportunities within the Program. However, striving to deliver top detection content quality, we run the content verification procedures in accordance with best industry practices, which requires a number of thorough checks to keep up with the quality standards and ensure threat hunting and detection efficiency, so the SOC Prime customers can derive more value from curated detection algorithms.

On May 2, we held a dedicated roundup session for Threat Bounty content developers, where we covered the questions and issues which most of our Threat Bounty members regularly encounter. Thus, if you want to improve the quality of your Threat Bounty content, reduce the rejection rate, and understand how you can earn more with your submitted rules, we recommend you watch the recording of the Threat Bounty Developer Roundup session.

Namely, you can find the answers to the following questions:

  • Communications and content improvement recommendations by SOC Prime.
  • Rating, how it is calculated. A detailed explanation of what influences the rating of your Threat Bounty content and which activities and rules do not take part in the content rating calculation.
  • Steps of rule validation for approval, and what can slow down the validation of your rule.
  • Detailed information about detection duplicates. Also, we provide details on how to avoid typical duplication mistakes and showcase how to search for possible existing detections on the SOC Prime Platform using Lucene query search. 
  • Hints on writing better Sigma rules. We provide very specific definitions of different classes of rules depending on their value with examples. Besides, you can also learn more about the requirements for minimal viable detection.
  • On top of that, we shared guidelines for Threat Bounty content developers on rule naming and detailed explanation of frequent Sigma mistakes with examples and recommendations for improvement. This information is available on SOC Prime’s Help Center. Please mind that you need to log in to the SOC Prime Platform to be able to view this documentation. 

We believe that all this can help our Threat Bounty members improve their content and earn more with SOC Prime.

TOP Threat Bounty Detection Rules

Possible Discovery Activity of Lazarus Apt Group by Accessing the Default Domain Controllers Policy (via process_creation) threat hunting Sigma by Emre AY detects Lazarus APT Group Activity that attempts to access the default domain controllers policy directly to discover about the victim system.

Possible RSAT[Remote Server Administration Tools] Download Attempt by Detection of Associated Commandline Used By Threat Actors (via process_creation) threat hunting Sigma by Mustafa Gurkan Karakaya detects RSAT(Remote Server Administration Tools) download attempt by associated commands used by threat actors. This tool includes ActiveDirectory PowerShell module with this tool, attackers can export user, computer information on active directory, and perform information gathering activity on DC.

Suspicious Defense Evasion Activity Through Disable Network Level Authentication (NLA) by Detection of Associated Commandline (via process_creation) threat hunting Sigma by Mustafa Gurkan Karakaya detects possible defense evasion activity by disable NLA via commandline arguments.

LockFile Ransomware using ProxyShell for exploiting Microsoft Exchange Vulnerabilities threat hunting Sigma by Nattatorn Chuensangarun detects the suspicious activity of LockFile Ransomware using ProxyShell via WMIC Commands executed malware.

Suspicious QakBot Malware Behaviour With Associated Commandline by Spreading Malicious OneNote Document (via process_creation) threat hunting Sigma by Mustafa Gurkan Karakaya detects Quasar RAT malware behavior via process creation. In this attack, after the malicious OneNote document macro runs, the malicious png file is downloaded from the remote server. Then this malicious file is run with rundll32. Attackers spread QuakBot malware via onenote documents. 

Top Authors

Threat Bounty detections of the following authors gained the most clients’ attention and thus brought authors the leading positions:

Nattatorn Chuensangarun

Sittikorn Sangrattanapitak

Osman Demir

Mustafa Gurkan KARAKAYA

Emir Erdogan 

The average payout to Threat Bounty content developers for the April content traction is $1,406

Monetize your detection engineering skills by contributing your Sigma rules to the SOC Prime Platform via Threat Bounty Program. Develop your detection engineering skills with feedback from the market leader to build a strong CV and smoothly advance in your cybersecurity career.