SOC Prime Threat Bounty — January 2022 Results

Threat Bounty Program

January ‘22 Results

In January 2022, Threat Bounty content authors successfully submitted 178 unique detections to the SOC Prime Platform. 

179 rules failed the verification by SOC Prime Team and couldn’t have been improved to match our content quality requirements. Also, a significant number of rules went through several iterations of SOC Prime Team review and were successfully published to the Platform. The most common reasons for content publications rejections were:

  1. The suggested detection rule violates the Program License Agreement and violates the rights of third parties. SOC Prime accepts only the content that is the original work of Threat Bounty members and does not knowingly allow the publication of content that is copyrighted or subject to proprietary rights of third parties.
  2. The suggested logic or syntax of the detection is wrong or inaccurate and needs improvements.
  3. The Rule name and description of the suggested detection do not correspond to the detection logic or do not explicitly explain what exactly the rule does. 

Numerous content publication rejections and re-submissions caused queues for verification. Detections are verified by SOC Prime one by one, starting from the rules that came to review first. If content authors create their detections following SOC Prime’s recommendations and guides, this increases the chances for content publication within the first iterations. Moreover, numerous iterations for content editing reduce the probability for publication, because similar detections by other authors can be successfully published to the SOC Prime Platform during this time.

Rewards and TOP Authors

Individual authors’ rating and cash earned depends on the popularity of their content with unique SOC Prime Platform clients. This month, the average payout for content authors who published content via the Threat Bounty Program is $1,426.

The following Threat Bounty Program content authors received the most rating for their content contributions:

Osman Demir

Onur Atali

Nattatorn 

Sittikorn

Emir Erdogan

To read more about the expertise and experience of our Threat Bounty content authors, please see the Interviews

TOP Content by Threat Bounty Developers

CVE-2021-42278 Active Directory Domain Services Elevation of Privilege Vulnerability Sigma query that detects possible CVE-2021-42278 exploitation by finding changes of device names in the network using Microsoft Defender for Identity.

Suspicious Outbound Connection by JAVA process, Possible Log4j RCE [CVE-2021-44228] Exploitation Sigma query detects suspicious outbound connection attempt to LDAP, RMI, or DNS standard ports by JAVA process.

Log4j RCE (CVE-2021-44228) Exploits via Payload Popping a Calculator (calc) Sigma query that detects the suspicious command of the attacker sent first a payload popping a calculator (calc), then exploits the vulnerability of Log4j RCE.

noPac [CVE-2021-42287 – CVE-2021-42278] Scanner & Exploiter Tool Sigma query detects noPac Scanner & Exploiter Tool via Powershell.

Khonsari Ransomware Exploited with Log4j Vulnerability Sigma query identifies a ransomware family, dubbed “Khonsari”, linked to threat actors that exploited Log4j vulnerability.

All the detections published in terms of the Threat Bounty Program undergo quality checks and are published to the SOC Prime Platform after the verification. The detections contain references on the detected malicious activities as well as tags of the MITRE ATT&CK® framework v.10.

Eager to make the world a safer place? Join our Threat Bounty program, share your Sigma and Yara rules via the dedicated Developer Portal to the SOC Prime Platform, and get recurrent rewards for your individual contribution!

Go to Platform Join Threat Bounty