SOC Prime Threat Bounty — October 2021 Results

SOC Prime Threat Bounty

SOC Prime Threat Bounty Program provides enthusiastic cyber security defenders with the opportunity to share detections with the global community, and get publicly recognized and rewarded for their contributions.

Threat Bounty participants are motivated to share detections that can address security needs of 20K+ users. Thus, content authors gain each time their detection is consumed by clients via the SOC Prime Platform. No matter when a detection was published – this week or two years ago, it is only the highest quality of the rule that creates a demand for it by many clients.

October ’21 Results

In October 2021, Threat Bounty Program developers contributed 245 new detections to the SOC Prime Platform. Moreover, 360 rules previously published by Threat Bounty authors to the Threat Detection Marketplace repository were improved and updated.

Publication of new content +199%

Publication of new community content +212%

Threat Bounty members who contributed the most actively:

Nattatorn Chuensangarun

Sittikorn Sangrattanapitak

Onur Atali

Emir Erdogan

Osman Demir

Kaan Yeniyol

Threat Bounty Rewards

SOC Prime pays recurrent rewards for content published in the SOC Prime Platform via Threat Bounty Program. In early November, we summarized all interactions comprising content rating that were made by SOC Prime clients during October. The average payout for previously active members is $755.

The client’s experience with Threat Bounty content via the SOC Prime Platform for November is being carefully analyzed to provide authors with detailed feedback on how to improve the detection content. As qualified content addressing the clients’ needs generates more interactions and brings increased value for the customer, the SOC Prime team will recognize all the ongoing content submissions and improvements made by Threat Bounty developers with doubled rewards for December 2021.

The rewards are based on content rating reflecting how SOC Prime users gain from the published content based on rules’ views and downloads by unique client interactions.

Most Popular Content by Threat Bounty Developers

CVE-2021-41773 Apache 2.4.49 – Path Traversal exclusive Sigma query by Zer0 Ways (@0w4ys) detects exploitation of path traversal and possible remote code execution in Apache HTTP Server 2.4.49

O365 – Create Hidden Mailbox Rule exclusive Sigma query by Sittikorn Sangrattanapitak is monitoring user behavior that may compromise Microsoft Exchange credentials. As one of the first steps after having obtained the credentials (most commonly through phishing), attackers created malicious inbox rules to copy ingoing and outgoing emails of their victim.

PowerSploit, Detection Of PS Modules (code execution, persistence,bypassing anti-virus and etc) exclusive Sigma query by Emir Erdogan detects possible use of PowerSploit which is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration.

CVE-2021-34527 Possible PrinterNightmare Exploit Detected (via printservice log) by Sittikorn detects the suspicious activity that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-1675, CVE-2021-34527 (PrintNightmare).

WinRM Remote Shell From Internet by Sittikorn detects network events that may indicate the use of WinRM Remote Shell from the Internet. WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system. This port is used with CVE-2021-38647 mentioned in the CISA’s Binding Operational Directive (BOD) 22-01.

Sigma rules published with SOC Prime Threat Bounty are available for 20+ SIEM & XRD platforms and are mapped to MITRE ATT&CK methodology.

Explore the SOC Prime platform for collaborative cyber defense, threat hunting and discovery to boost threat detection capabilities and defend against attacks easier, faster and more efficiently. Want to join our crowdsourcing initiative to make the world a safer place? Get started with the industry-first Threat Bounty Program!

Go to Platform Join Threat Bounty