SOC Prime Threat Bounty — July 2023 Results

Threat Bounty Publications

In July, enthusiastic Threat Bounty Program members submitted 775 rules for a chance of publication to the SOC Prime Platform for monetization. Before publication for monetization, all the rules are thoroughly examined by the SOC Prime team, and the rules that do not satisfy the acceptance criteria and the submissions violating the Program Terms are rejected. Totally, 102 Sigma rules were successfully published and are available to SOC Prime Platform users.

Explore Detections

We appreciate the efforts of all Threat Bounty Program members invested in the research and development of Sigma rules, as well as the passion for improving the skills and the quality of detections. Threat Bounty Program members who just started coding Sigma rules for monetization can practice different approaches to creating Sigma rules with Uncoder AI. Moreover, Sigma rules authors can benefit from the IDE-style interface for Sigma creation, and the validation for syntax issues with the recommendations on rule improvement suggested automatically. This might be particularly helpful for those Program members who have extensive experience as detection engineers but don’t have much practice with Sigma rules. 

TOP Threat Bounty Detection Rules

Please find the highlighted detections published via Threat Bounty Program that received the most interest and interactions from unique organizations on the SOC Prime Platform:

  1. Suspicious Citrix Gateway Pre-Auth XSS [CVE-2023-24488] Vulnerability Exploitation Attempt by Detection of Associated Web Request (via webserver) by Mustafa Gurkan KARAKAYA detects possible Citrix Gateway XSS vulnerability exploitation attempt by sending malicious payloads via web request.
  2. Possible Command Execution of Citrix ADC Zero-Day (CVE-2023-3519) Vulnerability To Extract Information To Suspicious Path (via process_creation) by Mustafa Gurkan KARAKAYA detects possible used commands on exploiting CVE-2023-3519 vulnerability to copy critical information to write suspicious path.
  3. Possible Unauthorized Email Access by Storm-0558 APT Group (via web-server) by Mise detects the exploitation of unauthorized email access techniques used by the threat actor Storm-0558.
  4. Possible Lokibot Targeting Microsoft Office Document Using Known Vulnerabilities by Detection of Associated Commands (via process_creation) by Emre Ay detects Lokibot campaign targeting Microsoft Office documents using vulnerabilities via associated commands.
  5. Suspicious WordPress Survey Maker SQL Injection Vulnerability [CVE-2023-23490] Exploitation Attempt by Detection of Associated Web Request (via webserver) by Mustafa Gurkan KARAKAYA detects possible SQL Injection vulnerability exploitation attempt on WordPress Survey maker plugin via associated web request.

Top Authors

Traditionally, here is the list of the TOP 5 Threat Bounty Members whose rules received the most interest from unique organizations leveraging the SOC Prime Platform. Notably, Sigma rules for detecting malicious behavioral patterns are content of interest for companies. In July, Sigma rules (ever published to the SOC Prime Platform!) by these authors were the most popular and demanded:

Mustafa Gurkan KARAKAYA

Nattatorn Chuensangarun

Sittikorn Sangrattanapitak

Osman Demir

Emir Erdogan

Explore new opportunities for professional development and recognition among peers while contributing to global cyber defense via SOC Prime Threat Bounty Program.