SOC Prime Threat Bounty — August 2022 Results

August ‘22 Publications

In August, 151 Sigma rules submitted by Threat Bounty Program members passed the SOC Prime acceptance validation and were released on the SOC Prime Platform. Totally, 313 rules were declined during the review’s first iteration for different reasons, including content quality, the detection value of the suggested code, full of partial duplication with the already published content. However, 161 rules suggested by the community members didn’t pass the verification at all.

The Sigma rules published by Threat Bounty members are available on the SOC Prime Search Page, and also are included in our blog articles.

Read Blog Explore Detections

TOP Authors and Rewards Information

The average payout to active content contributors in August was around $1,500. The following Threat Bounty content authors gained the highest rating based on the usage of their published content by unique SOC Prime clients:

Nattatorn Chuensangarun

Kyaw Pyiyt Htet

Aytek Aytemur

Furkan Celik

Osman Demir

Content Rating

As it has been mentioned many times, SOC Prime pays rewards to Threat Bounty members based on the rating of their content. The Bounty payouts are based on content rating, which, in its turn, highly depends on the number of unique SOC Prime clients who use Threat Bounty content via the Platform, and of course, some characteristics of the rule itself.

There are several things that one should keep in mind to understand the potential of their published content.

  1. Sigma type. It is known that threat hunting rules have more lifetime value than IOC rules. Thus, if your Sigma rule is a threat hunting Sigma, it has an increased coefficient, and its capacity to gather rating is higher.
  2. Available working translations of your Sigma rule. The more clients can use your detection, the more rating it harvests for you – you get counts of code views, downloads, and deploys any time the unique client uses your detection. 
  3. Rule lifetime applicability and value. All Threat Bounty content takes part in rating calculation and brings money to the author – including rules that were published yesterday and two years ago. So, it is in the best interest of the content author to keep all their Threat Bounty content up to date. 

Starting from October 2022, the rule type – basic or advanced will not be taken into account for rating calculation. The feature EOL is caused by changes to SOC Prime Subscription models. 

Top Rated Content

Possible PortDoor Backdoor Execution by Microsoft Office vulnerability [CVE-2017-11882] through Spear Phishing (via file_event) threat hunting Sigma rule by Nattatorn Chuensangarun detects suspicious files by Chinese attackers using malicious code that exploits the Microsoft Office vulnerability (CVE-2017-11882) to deploy PortDoor malware via spear phishing emails.

Possible APT41 Persistence by Creating Scheduled Task and Created Windows Services (via process_creation) threat hunting Sigma rule by Nattatorn Chuensangarun detects suspicious APT41 activity by creating a scheduled task and creating Windows services to persistence in the target system.

Suspicious BlackNet RAT Persistent Activity (Aug-2022) by Detection of Associated Registry Keys (via Registry_Event) threat hunting Sigma rule by Kyaw Pyiyt Htet detects persistent activities of BlackNet RAT malware which is windows botnet with PHP based Web Panel which has a builder written in VB.NET.

Possible Cuba Ransomware Defense Evasion by Configuring Kernel Driver to File System (via process_creation) threat hunting Sigma rule by Nattatorn Chuensangarun detects suspicious Cuba Ransomware activity by configuring a kernel driver and writing ‘ApcHelper.sys’ to the file system.

Suspicious Quasar RAT Scheduled Task Execution (July-2022) by Detection of Associated Commands (via CmdLine) threat hunting Sigma rule by Kyaw Pyiyt Htet detects persistent activities of Quasar RAT .NET malware.

All rules submitted via Threat Bounty Program undergo several stages of quality assessment, from automated tests to verification by SOC Prime engineers before publication. Sigma rules suggested by vetted community members are mapped against the latest version of MITRE ATT&CK®  and have references to the open-source information providing additional context to the detected activity. 

Join SOC Prime Threat Bounty Program to boost and monetize your detection engineering skills!