SOC Prime Threat Bounty —  February 2023 Results

Threat Bounty Publications

In February 2023, members of the Threat Bounty Program significantly contributed to the SOC Prime Platform. They provided detection rules that address the quality demands and security needs of hundreds of organizations that leverage the SOC Prime Platform for day-to-day operations.

As all detections submitted via Threat Bounty Program are published for monetization, SOC Prime validates each rule and decides on each detection regardless of the author who submitted the rule or how many times the suggested detection failed validation before.

In February, SOC Prime received 542 rules on review from members of the Threat Bounty Program. Many of the suggested rules failed the first validation and were returned to the authors for edits and corrections where possible, and as a result, 119 detections were approved by the SOC Prime team for the publication of the SOC Prime Platform for monetization.

Explore Detections

We remind all Threat Bounty content authors that we only accept detections that meet the acceptance criteria, both technical and legal. Requirements are accessible in Threat Bounty Terms and also in Threat Bounty FAQs, where you can find more context as to why your rules may be rejected and how to improve the chances for publication. Also, we encourage you to engage in discussions on SOC Prime Discord in dedicated channels on technical and organizational questions.

TOP Threat Bounty Detection Rules

Suspicious QakBot Malware Behaviour With Associated Commandline by Spreading Malicious OneNote Document (via process_creation) threat hunting Sigma rule by Mustafa Gurkan KARAKAYA detects Quasar RAT malware behavior via process creation.

Possible ProxyShellMiner Campaign Exploiting CVE-2021-34473 and CVE-2021-34523 [ProxyShell] Vulnerabilities by Detecting Associated Files (via file_event) threat hunting Sigma rule by Aytek Aytemur detects malicious files related to a ProxyShellMiner campaign that exploits the ProxyShell vulnerabilities.

Possible OneNote Malware Execution by onenote.exe Process Outbound Connection (via network_connection) threat hunting Sigma by Onur Atali detects suspicious outbound network connection attempt by onenote.exe process. Network connection logging isn’t enabled by default.

Suspicious Domain Admin Account Creation With Reset Security Descriptor Propagator Service Used by AdminSDHolder Attack (via process_creation) threat hunting Sigma by Mustafa Gurkan KARAKAYA detects possible Security Descriptor Propagator service disable activity for the use of AdminSDHolder attack. 

Suspicious Commands Execution Activity by ‘Royal Ransomware'[Linux Version] (via process_creation) threat hunting Sigma by Aung Kyaw Min Naing (Nolan) detects the execution of the suspicious commands that encrypt VMware ESXi Linux virtual machines by Royal ransomware.

Top Authors

Based on the interest of organizations leveraging the SOC Prime Platform and referring to detections published via the Threat Bounty Program, detection rules by the following authors were used by the clients the most, and thus the following authors received the most Threat Bounty rating and bounty rewards:

Nattatorn Chuensangarun

Mustafa Gurkan KARAKAYA

Osman Demir

Sittikorn Sangrattanapitak

Onur Atali

Join Threat Bounty Program to your CV in detection engineering, contribute to the SOC Prime Platform, and become a trusted part of the collective cyber defense.