SOC Prime Threat Bounty — June 2023 Results

Threat Bounty Program June23

Threat Bounty Publications

In June, the active members of the Threat Bounty Program submitted 568 Sigma rules for a chance of publication to the SOC Prime Platform for monetization. As a result of verification, 74 rules were approved and successfully published.

Explore Detections

Typically enough, the most frequent reasons for rejection of content publication were:

  • Submission of rules based on hash values, IP addresses, or domain names, which are considered to be Trivial, Easy, and Simple as per Bianco’s Pyramid of Pain. Such rules, regardless of their capability to detect possible malicious activity at the moment of rule creation, have low resilience for long-term use on the SOC Prime Platform
  • Detection duplication, including submission of the rules with the detection logic that is already covered by SOC content available on Threat Detection Marketplace or other resources. 

Also, there are always cases when several authors submit similar detections for verification by the SOC Prime team, and for the moment of submission, this detection is not publicly available. In such cases, as it was explained during the Threat Bounty Developer Roundup and the dedicated Discord channel, the submitted detections are reviewed according to the “first in – first out” principle, starting with the Sigma rule that was received for review first. The rules that are received after the suggested corrections are received in the same queue and are reviewed according to the same principle. 

To better understand the acceptance criteria for Threat Bounty content and avoid common mistakes, we recommend that Threat Bounty authors should follow the guidelines and HowTos available on SOC Prime’s Help Center, and consider the recommendations provided during the Threat Bounty Developer Roundup.

For those who want to improve in Sigma rule coding before contributing to Threat Bounty, we highly recommend Uncoder AI, which has an IDE-style interface with autocomplete, Sigma rules templates, and many more convenient features. Also, you can get your Sigma rules syntax verified and improve your detections with the enhancements suggested automatically.

We encourage Threat Bounty members to ask questions and discuss technical and non-technical topics in the dedicated channels of SOC Prime’s Discord server. This helps to address issues that are important for most Threat Bounty members and ensure that the guidelines, recommendations, and online sessions are helpful for you. 

TOP Threat Bounty Detection Rules

The following Threat Bounty Sigma rules received the largest numbers of detection code views, downloads, and deploys by unique companies, supporting the cybersecurity operations in more than 8,000 organizations worldwide:

  1. Possible Word Remote Code Execution Vulnerability [CVE-2023-21716] Bypass With Defense Evasion Technique by Modifying Associated Registry Key (via registry_event) Sigma rule by Mustafa Gurkan KARAKAYA detects potential defense evasion techniques by examining the modification of registry keys. 
  2. Suspicious Barracuda Zero-Day Vulnerability (CVE-2023-2868) Persistence Activity by Detection of Associated Commandline (via process_creation) Sigma rule by Mustafa Gurkan KARAKAYA detects possible persistence activity by exploiting CVE-2023-2868 vulnerability by detection of the associated command.
  3. Exploiting Potential Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Provides Persistence Through Scheduled Task (via file_event) Sigma rule by Mehmet Kadir CIRIK detects malicious file activity that ensures hackers the persistence on the target system.
  4. Possible Exfiltration Activity of CL-STA-0043 APT Group by Detection of PowerShell CommandLine Sigma rule by Aung Kyaw Min Naing (Nolan) detects powershell commandLine execution in order to steal targeted email data abused with Exchange Management Shell by CL-STA-0043 APT Group targeting governments in the Middle East and Africa.
  5. Suspicious Command Line Indicating BlackCat Ransomware Execution with Get UUID Option (via process_creation) Sigma rule by Mehmet Kadir CIRIK detects process execution with the –access-token flag accompanied by a child process with a ‘get uuid’ option.SOC Prime Threat Bounty program

Top Authors

Threat Bounty detections on the SOC Prime Platform authored by the following content creators received the highest rating based on the shared part of unique views, downloads, and deploys by unique client companies: 

Mustafa Gurkan KARAKAYA

Sittikorn Sangrattanapitak

Nattatorn Chuensangarun

Osman Demir

Emir Erdogan

Keep your career path aligned with industry development and monetize your evolving security engineering skills by participating in collective cyber defense and contributing to the SOC Prime Threat Bounty Program.