SOC Prime Threat Bounty — March 2022 Results

Threat Bounty Program March

During the previous month, the attention and experience of the cybersecurity experts were especially required to help the industry withstand emerging devastating threats. Devoted members of the Threat Bounty community provided detections to protect against such threats as HermeticWiper, the FoxBlade malware, the attack of APT41 against the U.S. state government networks, exploitations of the critical CVE-2022-22965, and many others. Read more about the threats addressed by the detection content published by Threat Bounty members in our Blog, or explore detections on the SOC Prime Platform.

Read More Go to Platform

March ‘22 Results

In March 2022, the detection content authors of the Threat Bounty community have successfully published 227 unique detections — 186 basic and 41 advanced rules. The published content successfully passed validation by SOC Prime experts. The published detections contain references providing the context to the detection, and are aligned with the MITRE ATT&CK® framework v.10. 

The detections submitted by Threat Bounty authors are available to users of the SOC Prime platform based on their current Subscription Plan

Based on the analysis of content usage in March, Community clients downloaded 72% of Threat Bounty detections out of all downloaded content from the SOC Prime Platform. While for the premium clients, the percentage of Threat Bounty content in their downloads amounted to 49%.

To ensure that all the published content meets the partner content quality requirements, a great number of the submitted rules went through several iterations for improvements. The authors received feedback from the SOC Prime team on key issues during the review.

More than 390 suggested rules were rejected. The most common rejection reasons were the following:

  1. The logic of the suggested rule is already covered by the existing rule in the SOC Prime Platform. In view of this, we reminded authors to check their content with the automated rule scan tool to avoid duplicates. However, in view of the great number of rules submitted for review and the follow-the-sun operations of the content review, authors should mind that the content that passed the review first is published to the Platform.
  2. The suggested detection rule is created by someone else, the algorithm is not in any way improved, and violates the Sigma Detection Rule License or rights of any third party. 
  3. The provided rule has pitfalls in the detection logic that can’t be fixed during improvement iterations of this rule.

TOP Authors and Rewards Information

The following Threat Bounty content authors gained the highest rating based on the usage of their published content by SOC Prime clients:

Emir Erdogan

Furkan Celik

Osman Demir

Aytek Aytemur

Kaan Yeniyol

Detections by these authors were the most viewed, downloaded, and deployed by unique clients in the SOC Prime Platform. We suggest the Threat Bounty authors follow the wanted_list recommendations in the community Slack channel to ensure submitting detections for the most demanded log sources and topics.

The average payout is $1395, including the rewards of all active members who started their publication not long ago and do not have a large portfolio of published detections on the SOC Prime Platform.

Top Rated Content

Cobalt Strike – Detection of RDP NGROK Activities (via cmdline) Sigma-based threat hunting query by Furkan Celik helps to detect Ngrok RDP activities. The detection is available for 16 various platforms.

Impersonation of An OKTA Account (Possible LAPSUS behaviour) Sigma-based query by Emir Erdogan detects suspicious behavior of account impersonation on the OKTA platform. The detection is available for 16 SIEM, EDR & XDR platforms.

Threat-hunting rule by Antonio Farina Detects possible HermeticWiper by specific Driver installation. The detection is available for 14 technologies. Also, the Detection Of New Malware HermeticWiper Targeting Ukraine (via registry_event) by Furkan Celik helps to detect possible attacks of HermeticWiper malware

Threat-hunting advanced Sigma-based query for detecting Possible APT35 Credential Access by Dumping lsass.exe Memory with comsvcs.dll (via cmdline) by Aytek Aytemur is available for 23 SIEM, EDR & XDR platforms. 

Explore SOC Prime’s Detection as Code platform and boost your threat detection capabilities with the power of global cybersecurity expertise. Eager to contribute your own exclusive unique detections to help organizations around the globe defend against emerging threats? Join SOC Prime’s Threat Bounty Program, submit detection content including Sigma and YARA rules, get them published to the platform after verification by SOC Prime experts, and receive recurring rewards for your contributions!