SOC Prime Threat Bounty — May 2022 Results

Threat Bounty Program May

In May 2022, the members of SOC Prime Threat Bounty Program contributed 184 unique detections to the Detection as Code platform. The published detections help the global cyber community timely detect emerging threats such as the APT29 phishing campaign, BlackByte Ransomware attack, Microsoft SharePoint RCE (CVE-2022-29108), and many others. The information about the recent detections and their context is available on SOC Prime’s search engine

SOC Prime accepts only the high-quality Sigma rules that match technical and legal requirements and follow Sigma best practices. To make sure that the suggested Sigma rule doesn’t contain common syntax mistakes, the Threat Bounty authors are encouraged to use the automated Sigma check tool and improve their detections as needed. Also, the detections are reviewed and verified by SOC Prime experts.

In May, 56% of all the submitted detections didn’t pass the verification for publication and were rejected. Particularly, the rejection reasons are as follows:

  • Rules had wrong detection logic or poor detection value
  • Due to the content duplication issue, when there already exists a detection with the same or very similar logic on the SOC Prime Platform. All the Threat Bounty members are kindly advised to use the Lucene search option and refer to the Platform Guide to explore the availability of certain detection algorithms.
  • The suggested rule was created by someone else and the algorithm was not in any way improved before the submission, thus violating the Threat Bounty Content Partner License Agreement, Sigma Detection Rule License, or rights of any third party. 

TOP Authors and Rewards Information

The detection content of these Sigma rule authors published to the SOC Prime Platform gained the highest rating in May:

Kaan Yeniyol 

Osman Demir

Emir Erdogan

Furkan Celik

Aykut Gurses

The average payout to the Threat Bounty Program members who are actively publishing Sigma rules was $1,429. 

Top Rated Content 

Advanced threat hunting Sigma-based detection query APT 29 Phishing Campaigns downloads BEATDROP and BOOMMIC malwares (via process_creation) by Emir Erdogan detects BEATDROP and BOOMMIC execution activities by using process_creation logs. 

Threat hunting Sigma query VMware Workspace ONE Access, Identity Manager and vRealize Automation Vulnerability [CVE-2022-22954, CVE-2022-22960] (via webserver) by Nattatorn Chuensangurun detects exploitation of VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection (CVE-2022-22960) and privilege escalation vulnerability in vRealize Automation (CVE-2022-22960) due to improper permissions in support scripts.

Threat hunting query Suspicious Sitrep Hacktool Execution by Detection of Associated Commands (via process_creation) by Furkan Celik detects possible malicious activities related to Sitrep which can be used by attackers for the system discovery. It also collects information about different categories such as Environment, Defenses, Permissions, Software, and Credentials.

Threat hunting query Suspicious Space Pirates Defense Evasion Use of rundll32.exe (via cmdline) by Osman Demir detects a malicious campaign where Space Pirates uses rundll32.exe to bypass the UAC.

Threat hunting Sigma query Malicious Initial Access by Exploitation of Microsoft SharePoint Server Remote Code Execution Vulnerability – (CVE-2022-29108) (via proxy) by Aykut Gurses detects CVE-2022-29108 Microsoft SharePoint Server Remote Code Execution Vulnerability.

All Sigma rules are enriched with the context of the malicious activity and tagged with the MITRE ATT&CK framework. All provided detection content is available for the industry-leading SIEM, EDR, and XDR technologies. The detections published in terms of the Threat Bounty Program are available to users of the SOC Prime Platform based on their current Subscription Plan

Looking for ways to monetize detection content? Join Threat Bounty Program and make your own contribution to collaborative cyber defense by crafting Sigma and YARA rules, getting them published to SOC Prime Platform, and receiving recurring financial benefits for your input.