SOC Prime Threat Bounty — October 2022 Results

October ‘22 Publications

In October, the members of Threat Bounty Program actively contributed detections for critical emerging threats. After the SOC Prime validation, 256 detections were successfully released on the Platform and thus were included into monetization based on the client’s activities.

Read Blog Explore Detections

However, 375 rules were rejected to be published. SOC Prime carefully validates all detections received for review, and the most common rejection reasons are detection duplications and pitfalls in detection logic. To avoid such situations, we highly recommend all content developers willing to monetize their detections with the Threat Bounty Program take into consideration the recommendations of the Sigma Rules Guide

Also, before creating a new detection in terms of the Threat Bounty Program, we recommend checking with the Sigma rules search engine whether similar detention already exists, and utilizing the Lucene search option to look for possible similar detection patterns within Threat Detection Marketplace.

Threat Bounty content authors may submit detections using Developer Portal or Sigma Rules Bot. Learn more about how to start monetizing your detection engineering skills with Threat Bounty Program. 

As for the most demanded content, we recommend our Threat Bounty developers focus on the following:

  • Unique own-developed detections for existing and emerging threats, especially critical CVEs and ongoing campaigns.
  • Rules for detecting possible attacks against organizations of the public and private sector who openly support and follow the sanctions against the russian federation and thus may become the target of the attack. This includes detections for possible exploitation of vulnerabilities in technologies actively used in the organizations. 
  • Detections for possible attacks against critical infrastructures, including ICS-capable malware, wipers, and other destructive strains.

Top Authors

The detections of the following authors received the biggest numbers of unique code views, downloads, and deploys on the SOC Prime Platform:

Nattatorn Chuensangarun

Wirapong Petshagun

Kyaw Pyiyt Htet

Sittikorn Sangrattanapitak

Osman Demir

The average bounty payout for October is $1,538.

Top-Rated Content

All the Sigma rules provided via the Threat Bounty Program accepted for publication on the SOC Prime Platform must be mapped to the MITRE ATT&CK® framework where applicable, and have references to open resources providing a broader context to the detected activity, including links to exploits, threat intel, mitigations, media, etc. There are 5 detections released in terms of the Threat Bounty Program which gained the most clients interest in October:

Possible Initial Access by Text4Shell Template Injection [CVE-2022-42889] (via proxy) by Kyaw Pyiyt Htet (Mik0yan) threat hunting Sigma rule detects keywords in the URI field of HTTP requests that are known to be used in the exploitation of the Text4Shell vulnerability. 

Possible Exchange Server RCE (Proxyshell/ProxyNotShell) by Zer0 Ways (@0w4ys), SOC Prime Team (updates) Sigma rule detects successful exploitation attempt of Exchange Server RCE (Proxyshell).

Possible Cobalt Strike Loader Execution by Using VBA Function for Creating/Executing Shortcut [Targeting Russian-Ukrainian Conflict] (via process_creation) Sigma rules by Nattatorn Chuensangarun detects suspicious Cobalt Strike Loader activity by using malicious VBA function for creating and executing the shortcut lnk file.

Possible Chinese APT Emperor Dragonfly Ransomware Group Using DLL Side-Loading to Load Cobalt Strike Beacons (via image_load) Sigma rule by Chayanin detects Emperor Dragonfly used DLL-Side loading to execute Cobalt Strike Beacon and identifies three DLLs loaded using unique directories for common utilities such as VLC.

Possible Bl00dy Ransomware Persistence by Modifying Registry to Start Encryption Routine with Leaked LockBit 3.0 Builder (via process_creation) Sigma rule by Nattatorn Chuensangarun detects suspicious Bl00dy Ransomware activity by modifying the registry key to start the encryption routine before the user logon with Leaked LockBit 3.0 Builder.

Don’t hesitate to join the Threat Bounty Program, earn cash with your detection engineering skills, and create a portfolio demonstrating your expertise in detection engineering with SOC Prime!