SOC Prime Threat Bounty — December 2021 Results

Threat Bounty Program

December ‘21 Results

In December 2021, Threat Bounty Program developers contributed 219 new detections to the SOC Prime Platform. To ensure the continuous quality enhancement of the published content, 231 rules earlier released by Threat Bounty authors were improved and updated. 

SOC Prime Threat Bounty results for the previous month are available in NOVEMBER ‘21 RESULTS.

All the rules submitted by Threat Bounty contributors undergo checkup by the SOC Prime Team who stands guard to deliver only the content of the highest quality. Last month, 298 submissions failed to pass the quality testing and as a result, those publications were rejected. The common rejection reasons were related to the violation of Sigma DRL and the Program Licence Agreement, as well as content syntax and detection logic pitfalls.

As Log4j became the most notorious and thus highly demanded topic for threat detection content, the Threat Bounty Program members actively contributed Sigma and Yara rules to enhance the industry’s defense against this threat. To enable detection of possible Log4j exploits, the Threat Bounty content authors promptly researched and submitted detections for a variety of products and log sources. Overall, 73% of dedicated Sigma rules were developed by Threat Bounty authors. See the list of available detections related to Log4j in the SOC Prime Platform. 

The published SOC content goes along with the publicly available references adding context to the detections, as well as tags according to the MITRE ATT&CK® framework. Utilizing the options for content data schema customization and automation of content delivery, security professionals had the opportunity to successfully apply the tailor-made detections within less than 36 hours after the PoC.

Top Authors and Rewards

Threat Bounty content authors who gained the highest rating for their detections published within the SOC Prime Platform in December 2021:

Osman Demir

Sittikorn Sangrattanapitak 

Onur Atali

Nattatorn Chuensangarun

Emir Erdogan

Kaan Yeniyol

Based on the rating of detections published by Threat Bounty contributors, the average payout for active content authors in December 2021 is $1,584.

The rating is based on the number of interactions with the published content rather than just the number of released rules, with major reliance on the relevance of detections for 23,000+ our users from 6,500+ companies worldwide along with the lifelong detection value of the provided content.

At SOC Prime, we encourage Threat Bounty authors to create content tailored to the needs of our community and clients. Although it is always the author’s decision whether to publish the new rule as Community (Free) or Exclusive (Paid), we rate the Exclusive content x2 higher for the Bounty reward calculation.

Based on the analysis of the submitted content and the clients’ feedback, by the end of Q1 2022, we will update the Threat Bounty Program rating calculation model. To financially motivate Threat Bounty content developers to research and submit detections of the highest quality, we will introduce the increased rates for Exclusive and Threat Hunting Sigma content.

Top Content by Threat Bounty Developers

TOP 1: Palo Alto Log4j RCE [CVE-2021-44228] Exploitation Attempt from Internet Exclusive threat hunting Sigma Query by Sittikorn is the most top-rated rule of the month. With this detection, the Premium users of the SOC Prime Platform can spot the adversaries’ attempts to exploit Apache Log4j RCE vulnerability (CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105, CVE-2021-44832) on Palo Alto Firewall with Threat Prevention feature.

TOP 2: Detect Suspicious Outbound Connection by JAVA process, Possible Log4j RCE [CVE-2021-44228] Exploitation Community threat hunting Sigma query by Onur Atali detects suspicious outbound connection attempt to LDAP, RMI or DNS standard ports by JAVA process.

TOP 3:  CVE-2021-41773 Apache 2.4.49 – Path Traversal Exclusive threat hunting Sigma Query by Zer0 Ways (@0w4ys) detects exploitation attempt of Apache 2.4.49 – Path Traversal

TOP 4: Log4j RCE Exploitation Detection Patterns – CVE-2021-44228 (via Zeek) Exclusive threat hunting Sigma Query by Kaan Yeniyol.

TOP 5: Windows MSHTML 0-Day Exploited to Deploy Cobalt Strike Beacon in Targeted Attacks (CVE-2021-40444) (via process_creation) Exclusive threat hunting Sigma Query by Aytek Aytemur 

Explore the SOC Prime Platform for collaborative cyber defense, threat hunting and discovery to boost threat detection capabilities and defend against attacks easier, faster, and more efficiently. Want to join our crowdsourcing initiative to make the world a safer place? Get started with the industry-first Threat Bounty Program!

Go to Platform Join Threat Bounty