SOC Prime Threat Bounty —  January 2023 Results

Threat Bounty Program January23

Threat Bounty Publications

The first month of 2023 has brought invaluable contributions from our Threat Bounty members to the global cyber community. The SOC Prime team received 626 rules for examination and review submitted by our detection content experts. As a result, 144 rules successfully passed the verification and were published to the SOC Prime Platform for monetization, and these rules significantly contributed to the collective cyber defense.

Explore Detections

It is always a good idea to engage in discussions with the SOC Prime community on our Discord server and talk about detection engineering experience and your Threat Bounty program activities.

We strongly recommend Threat Bounty members follow the Program Terms and the content requirements for the most streamlined experience of getting their detections released for monetization on the SOC Prime Platform. Also, Threat Bounty members are welcome to follow the recommendations for detection content improvements provided by our content experts during the verification and, if applicable, apply the suggested ones to their detections. 

The core technical requirement to Sigma rules suggested for publication and monetization with Threat Bounty is that your Sigma rule should be behavioral threat detection content, meaning that it should identify and detect cyber threats by analyzing behavior patterns (refers to how a system or process functions, including actions like creating files and processes and their interrelations, changing registry keys and establishing network connections, etc.) – as opposed to relying on specific Indicators of Compromise (IOCs) (IP addresses, filenames, hashes of malware, and other identifying information), or intended to be triggered by alerts of other security solutions. 

Another critical requirement is that it should be a unique detection, not violating the intellectual property rights of any third party.

TOP Threat Bounty Detection Rules

Suspicious Processes and Files to bypass MoTW [Mark-of-the-Web] by BlueNoroff Group (via process_creation) threat hunting Sigma rule by Aytek Aytemur detects a suspicious process from rundll32, who executes marcoor.dll, a malicious file which is associated with BlueNoroff Group.

Possible BlueNoroff Group Execution by Fetching/Executing Payload through Shortcut File (via process_creation) threat hunting Sigma rule by Nattatorn Chuensangarun detects suspicious BlueNoroff group activity by fetching and executing additional script payload when the victim double-clicked on the shortcut file.

Possible Execution Activity of Malicious Zoom Software Installer by Detection Associated Commands(via process_creation) threat hunting Sigma rule by Emre Ay detects execution commands associated with Malicious zoom installer. In this malware campaign, the malicious installer,’ZoomInstallerFull.exe’ executes IcedId Loader, ‘maker.dll’, using rundll32.exe with the “init” parameter. 

Possible ‘CVE-2023-21752’ Exploitation Attempt Detection (via File_Event) threat hunting Sigma rule by Kyaw Pyiyt Htet (Mik0yan) detects the malicious file creation of Windows Backup Service Elevation of Privilege Vulnerability (CVE-2023-21752) exploitation attempt.

Another rule by Kyaw is also in the TOP 5 Threat Bounty rules of the Month. Possible System Shell Session via CVE-2023-21752 Exploitation by Detection of Associated Command (via CmdLine) threat hunting Sigma detects the spawning of ‘nt authority\system’ shell session via Windows Backup Service Elevation of Privilege Vulnerability (CVE-2023-21752) exploitation attempt.

Top Authors

Threat Bounty rating is based upon analysis of the SOC Prime unique users’ activities with the detection code of Threat Bounty rules and does not include content comments or reviews. The following authors gained the most rating with their Threat Bounty detections based on the analysis of the January ‘23 activities:

Nattatorn Chuensangarun

Osman Demir

Sittikorn Sangrattanapitak

Emir Erdogan

Kaan Yeniyol

The average Threat Bounty reward payout for November is $1,418.

Code your CV in detection engineering and monetize your Blue Team skills. Interested? Join SOC Prime Threat Bounty now!