SOC Prime Threat Bounty — November 2021 Results

November ‘21 Results

In November 2021, Threat Bounty Program developers contributed 243 new detections to the SOC Prime Platform. Moreover, 89 rules previously published by Threat Bounty authors to the Threat Detection Marketplace repository were improved and updated.

As SOC Prime aims as delivering only the content of the highest standards, the total of 245 rules failed the review and the publication of the submissions was rejected for the following reasons:

  • There already exists the same detection with the same logic on the SOC Prime Platform.
  • The submitted detection is an IoC query that is solely based on digital forensics pointing out a breach (hashes, file names, etc) and has no long-time value for SOC Prime customers.
  • The suggested Sigma syntax does not represent any detection value.
  • The suggested rule is created by another author and violates Sigma DRL and Program License Agreement. 

Rewards and Top Authors 

In November, the total amount of Bounty reward to active content contributors was doubled, and the average payout for previously active content contributors increased from $755 to $1,420.

These are Threat Bounty authors who received the most rating with their published Community and Exclusive content on the SOC Prime Platform. 

Sittikorn Sangrattanapitak 

Osman Demir

Onur Atali

Emir Erdogan

Nattatorn Chuensangarun


Top Content by Threat Bounty Developers

As Program rewards are based on content rating, we are studying the interest of clients in the published Threat Bounty content. To encourage authors to contribute exclusive behavior-based detections with complex logic, we suggest a doubled rating index for such content.

Palo Alto Threat Top 10 Most Exploited Vulnerabilities by CISA Sigma query by Sittikorn S detects the top 10 most exploited vulnerabilities reported by Cybersecurity and Infrastructure Security Agency (CISA). 

CVE-2021-41773 Apache 2.4.49 – Path Traversal Sigma query by Zer0 Ways (@0w4ys) detects a critical vulnerability in Apache HTTP Server 2.4.49.

Emotet Process Creation – Nov 2021 Sigma query by Onur Atali detects Emotet-like process executions that are not covered by the more generic rules.

CVE-2021-34473 Exchange Server RCE (Proxyshell) Sigma query by Zer0 Ways (@0w4ys) detects successful exploitation attempt of Exchange Server RCE.

Community available content published with Threat Bounty that received the most traction during November 2021:

BlackMatter Ransomware of DarkSide Registry Detect Sigma query by Onur Atali detects BlackMatter Ransomware of DarkSide.

Squirrelwaffle Loader Activity with CobaltStrike Sigma query by Osman Demir detects the SquirrelWaffle malware.

CVE-2021-41773 via a path traversal vulnerability in Apache (via linux) Sigma query by Nattatorn Chuensangarun detects commands with arguments of CVE-2021-41773 via a path traversal vulnerability in the event mod-cgi is enabled and CVE-2021-42013 via Remote Code Execution on Apache.

To learn how the SOC Prime Threat Bounty Program drives the crowdsourcing initiative for making the world a safer place, watch the recording of our insightful webinar that took place on December 2, 2021. In this session, SOC Prime experts speak about the global demand for qualified detection content and explain how individual cyber defenders can address it by creating their own detections for the Threat Detection Marketplace community.

Explore the SOC Prime platform for collaborative cyber defense, threat hunting and discovery to boost threat detection capabilities and defend against attacks easier, faster and more efficiently. Want to join our crowdsourcing initiative to make the world a safer place? Get started with the industry-first Threat Bounty Program!

Go to Platform Join Threat Bounty