SOC Prime Threat Bounty —  December 2022 Results

December ‘22 Publications

During the last month of the year 2022,  Threat Bounty developers managed to submit 441 rules to review by SOC Prime Team for a chance of publication to the Platform for monetization. The submitted rules were reviewed by a team of seasoned engineers, and based on the collective decisions, 126 rules were released to the SOC Prime Platform in December 2022.

Explore Detections

Traditionally, the most common reasons for rejecting content publication were issues in the detection logic, the full or partial similarity with existing detections, and Sigma rules with poor detection value. The feedback of the verification team is communicated to the content authors; however, the Threat Bounty developers are strongly recommended and encouraged to research for the existing detections and best industry practices to the maximum of their ability and pay attention to the SOC Prime recommendations, for example:

SIGMA Rules: The Beginner’s Guide

Security Talks with SOC Prime: All About SIGMA

SIGMA vs Indicators of Compromise

SOC Prime webinar: Data Sources

Security Talks with SOC Prime: Ideas for detections, from hypothesis to hunt

Top-Rated Content

The following threat detection rules gained the most interest and interactions with the detection by SOC Prime users during December:

Possible AppleJeus Malware (Lazarus APT) Execution by Detection of Associated Files [Targeting Cryptocurrency Users] (via file_event) threat hunting Sigma by Wirapong Petshagun detects file creation events related to AppleJeus Malware that is used by Lazarus APT in the new campaign that delivers the malware via fake cryptocurrency applications.

Possible Black-Basta Attack [QakBot] (November 2022) Lateral Movement Activity By Detection of Associated Process (via process_creation) threat hunting Sigma rule by Zaw Min Htun detects executing Cobalt Strike payload with the rundll32.exe SetVolume commands by Black-Basta leveraging Qakbot in a widespread campaign.

Suspicious Aggressive Qakbot Campaign Execution by Detection of Associated Commands [Targeting U.S. Companies] (via powershell) threat hunting Sigma rule by Osman Demir detects possible aggressive qbot campaign where PowerShell is used to query information against Active Directory Domain Services.

Possible TA542/Emotet Malware Execution by Loading Bumblebee Malware with DLL Files (via process_creation) threat hunting Sigma rule by Nattatorn Chuensangarun detects a suspicious rundll command argument to load a malicious function in the bumblebee malware used by TA542 in the recent attack.

Possible Emotet Malware Execution by Deploying AnyDesk via Using MeshCentral ( via process_creation) threat hunting Sigma rule by Emre Ay detects one of the suspicious Emotet malware activities by deploying AnyDesk, which is installed by using MeshCentral.

Top Authors

The Threat Bounty detections published by these authors gained the most rating on Threat Detection Marketplace:

Nattatorn Chuensangarun

Osman Demir

Emir Erdogan

Sittikorn Sangrattanapitak

Zaw Min Htun

The average Threat Bounty reward payout for December is $1,488.

Don’t hesitate to join SOC Prime Threat Bounty Program and monetize on your constantly improved detection engineering skills and contribute to the world’s cyber security.