July ‘22 Updates
During the previous month, we introduced several improvements to content validation and Sigma Rules Bot for Threat Bounty, released a number of blog articles providing an extended context to the threat detection rules published by Threat Bounty Program members, and worked in close cooperation with content authors on improving the already existing content.
Warden – Sigma Automagic Check Tool
By submitting detections with Threat Bounty, Sigma rules authors have an opportunity to find and correct the most common Sigma issues by themselves and ensure that detections sent to review by the SOC Prime Team is technically correct and unique. Sigma rules authors could use the automated validator for their rules before sending the detection to review by the SOC Prime Team.
To ensure the best experience for Threat Bounty Sigma authors and the content quality of detections published to the SOC Prime Platform, we have recently added new checks and extended the existing messages providing information on warnings, errors, and notifications.
We highly recommend Threat Bounty Sigma authors check their Sigma rules with Warden, and include the recommended changes to their rules based on the Warden responses.
July ‘22 Publications
In June, 156 new rules by Threat Bounty members were published to the SOC Prime Platform and are available to users based on their subscription. Also, these detections were added to SOC Prime’s Search Engine, where the information about the rule is available along with the Author’s personal profile.
However, 262 rules reviewed by SOC Prime Team were rejected for publication because of content quality issues or because a rule with a similar detection logic already exists on the SOC Prime Platform at the moment of content review. Where possible, the verification team provided the authors with feedback for content improvements.
Bounty Payment and TOP Authors
The average payout to active content contributors in June was $1,360, and the highest bounty reached $2,800.
The bounty payment mostly depends on the total number of an author’s content (submitted via Threat Bounty) used by unique clients of SOC Prime Platform. That is why we encourage Threat Bounty members to keep their earlier published rules updated where applicable to ensure that detections are successfully delivered to the users. With more high-quality content available for clients, Threat Bounty members can keep harvesting rating points with their earlier published rules.
The following Threat Bounty content authors gained the highest rating based on the usage of their published content by unique SOC Prime clients:
To ensure that Threat Bounty members submit content that is the most anticipated by SOC Prime clients, we regularly suggest topics and directions to research and create content ensuring that our Threat Bounty members can monetize the best of their skills.
Top Rated Content
The detections listed below received the highest rating based on the rule’s characteristics and customers’ activities.
Possible Matanbuchus Loader Execution by Spread Malware through Malspam Campaign (process_creation) Sigma rule that detects Matanbuchus loader activity by spreading malware and running malicious files for command and control with COBALT STRIKE in spam campaigns.
Possible Initial Access by ZuoRAT Hijacks (via proxy) threat hunting Sigma detects possible attack of ZuoRAT, which is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device, and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules).
Detect Suspicious Scanning Critical Backup Files (via proxy) Sigma rule detects possible scanning of critical backup files on web servers done more frequently than 5 times in 10 minutes.
Suspicious Scheduled Task creation after Log4shell Exploitation in VMware Horizon Systems (via process_creation) Sigma rule detects highly suspicious scheduled task creation by hmsvc.exe with the help of process_creation logs.
Primitive Bear APT Group Actively Targeting Ukraine (via process_creation) threat hunting Sigma query detects activities of the Gamaredon group attack that uses launching SFX files via process creation. SFX files allow someone to package other files in an archive and specify what will happen when a user opens the package.
The Sigma rules by Threat Bounty authors are applicable for various SIEM, EDR, and XDR solutions supported by the SOC Prime Platform, contain metadata providing additional context to the detected activity, and are mapped against the MITRE ATT&CK® framework.