SOC Prime Threat Bounty —  March 2023 Results

Threat Bounty Publications

During March, our keen Threat Bounty content authors submitted 423 rules for verification by SOC Prime. However, all Threat Bounty detections undergo validation by our internal content verification team, who examine the rules one by one and make decisions on content publication to the SOC Prime Platform. Notwithstanding the persistence and objection to content acceptance criteria, 70 new detections by Threat Bounty authors were released to the SOC Prime Platform.

Explore Detections

We remind Threat Bounty authors that only the validated rules are published to the SOC Prime Platform for monetization. Traditionally, the most common content rejection reasons are:

  • Detection duplication. The problem of submitting duplicates of the detection logic is the one which can be the most easily prevented by authors. To avoid this situation, we highly recommend you search for existing content with similar detection logic on the SOC Prime Platform. 

To better understand how search on the SOC Prime Platform works and learn about other content-related Platform capabilities, please refer to the Platform tutorial videos

Rejection for detection duplicates publication is caused by the fact that companies rely upon SOC Prime solutions in their routine security operations, and having detection duplications may lead to unwanted issues such as redundant alerts, an increase of false positives and false negatives, performance issues of the security solutions, and the need for maintaining several copies of the detection algorithm. 

  • IOC-based rules that are known to have low resilience for long-term use. The rejection of such rules is caused by the fact that such detections require regular updates to remain effective and can’t be used as reliable means of threat hunting and threat detection in the long-time perspective.

To better understand the different types of IOCs and submit TTPs detections that are the most trusted and awaited by the clients, we highly recommend reading this article about SIGMA vs Indicators of Compromise

  • Code with faulty detection logic. The rejection of such rules is caused by the fact that only publish rules that are completely functional and created by the content author. This means that the content validation team does not correct the submitted rules or provide comprehensive instructions on rules improvements. 

We suggest content authors discuss the known issues with their peers in the Threat Bounty Discord channels and refer to the threat bounty Content Guide and FAQ

To help the Threat Bounty authors better understand the criteria for content acceptance for publication and address the questions impacting most of the authors, we invite Threat Bounty members to join the Threat Bounty Developer Roundup, which will be held on Tuesday, May 2, 12 PM (EDT). We encourage you to participate in the pre-arranged Q&A on SOC Prime Discord to share your thoughts and experience. Your engagement in the Q&A is highly important to define the priorities to be addressed during the Threat Bounty Developer Roundup.

TOP Threat Bounty Detection Rules

Suspicious Mustang Panda’s New Backdoor [MQsTTang] Behaviour by Detection of Associated Registry Key (via registry_event) threat hunting Sigma rule by Mustafa Gurkan KARAKAYA detects persistence activity of MQsTTang backdoor via adding registry key by Mustang Panda APT group.

Suspicious QakBot Malware Behaviour With Associated Commandline by Spreading Malicious OneNote Document (via process_creation) threat hunting Sigma rule by Mustafa Gurkan KARAKAYA detects Quasar RAT malware behavior via process creation.

Possible GoAnywhere MFT Zero-Day Vulnerability CVE-2023-0669 (via webserver) threat hunting Sigma rule by Mehmet Kadir CIRIK detects possible GoAnywhere MFT Zero-Day Vulnerability CVE-2023-0669 attempt.

Royal Ransomware Detection on Linux ESXi servers threat hunting Sigma rule by Emir Erdogan detects Royal Ransomware CommandLine Arguments on Linux ESXi servers with the help of process_creation logs.

Possible PlugX Trojan Activity by Detection of Associated Commands (via process_creation) threat hunting Sigma rule by Emre Ay detects trojan activity that is executed via rundll32. Adversaries use this method to evade defensive mechanisms and to hide the activity of an intrusion.

Top Authors

Threat Bounty detections of the following 5 authors received the most interest from the representatives of organizations leveraging SOC Prime for their day-to-day operations:

Nattatorn Chuensangarun

Osman Demir

Sittikorn Sangrattanapitak

Mustafa Gurkan KARAKAYA

Emir Erdogan 

The average reward payout for March 2023 is $1,356.

Join Threat Bounty Program to your CV in detection engineering, contribute to the SOC Prime Platform, and become a trusted part of the collective cyber defense.