SOC PRIME THREAT BOUNTY — FEBRUARY 2022 RESULTS

Threat Bounty Program 2022

Power of Community Collaboration

On Thursday, February 24, 2022, the independent country of Ukraine was brutally attacked by Russian military forces. Turning down the regulations of international law, existing diplomatic agreements, and basic principles of humanity, the armed forces of the Russian Federation actively and openly supported by the ruling regime, have been barbarously attacking sovereign Ukraine from the North, the South, and the East. 

The role and the impact of community collaboration in cyberspace have transformed to an evolutionary new level, shifting from the altruistic hobby-like contributions to the powerful potential standing the guard of the planet’s future. Security experts all over the world unite to defend the organizations at all levels to withstand emerging threats, especially related to the attacks of the hacker groups adhering to the Russian government.

Members of the SOC Prime Threat Bounty community have actively joined the call for help and contribute detection content helping organizations all over the globe to defend against emerging cyber threats, keeping a close eye on malicious activities and hacker groups backed by the Russian government and its affiliates. Threat Bounty content authors supply Sigma-based detections to spot possible attacks targeting governments as well as public and private sectors organizations. 

February ‘22 Results

In February 2022, Threat Bounty content authors successfully published 173 unique detections to the SOC Prime Platform. For various reasons, 271 rules failed the validation from the SOC Prime Team and were not published. The most common reasons for rejection of publications were:

  • The suggested logic is already covered by existing content on the SOC Prime Platform (duplicates);
  • The suggested detection is purely based on the Indicators of Compromise (IOC-based Sigma rules);
  • The suggested rule contains unfixable logic pitfalls, and the rule can not be fixed within several iterations of review and feedback;
  • Threat Bounty members suggest detection rules created by other authors (plagiarism);
  • The suggested content does not have any detection value.

All Threat Bounty content is published to the SOC Prime Platform, after undergoing automatic check-up and expert validation. Our professionals provide feedback on possible content improvements so that content authors could make changes to their rules and resubmit them for publication. However, SOC Prime provides neither step-by-step instructions during content verification nor entry-level training for beginners in detection content engineering.

Rewards and TOP Authors

The following Threat Bounty Program content authors received the most rating for their content contributions:

Osman Demir

Sittikorn Sangrattanapitak

Onur Atali

Aytek Aytemur

Emir Erdogan

This means that detections by these authors were the most viewed, downloaded, and deployed by unique clients in the SOC Prime Platform. 

Based on the Threat Bounty rating for February 2022, the average payout for active content developers is $1500.

TOP Content by Threat Bounty Developers

TA2541 Targeting Aviation, Aerospace, Transportation and Defense Industries (via process_creation) Sigma-based detection query by Osman Demir detects the recent attacks of the TA2541 threat group.

Suspicious Registry Entry (via registry_event) Sigma-based detection query by Osman Demir detects the Kovter malware family that targets Windows systems.

Exploitation of the Log4j(CVE-2021-44228) vulnerability in VMware Horizon (via Scheduled Task Creation) Sigma-based detection query by Aytek Aytemur detects command lines used to create a Scheduled Task used to maintain persistence, store command and control (C2) and wallet configurations.

Malicious Macro Execution Detect Sigma-based detection query by Onur Atali detects malicious macro that is enabled & clicked of a registry key created during malicious macro execution.

XSL Script Process Network Connections Sigma-based detection query by Onur Atali detects msxls process network connection. Msxsl is a command-line utility used to perform XSL transformations.

We appreciate the time and efforts that Threat Bounty content developers are devoting to the creation of actionable detection content. Together, we can help organizations worldwide get the detection content timely and withstand emerging threats. If you want to join SOC Prime’s crowdsourcing initiative and contribute to the global cyber defense while continuously improving technical skills and receiving recurrent rewards for your contributions, feel free to apply for participation!