Tag: TDM

Extended Community Access and Free Trials at the Threat Detection Marketplace

At SOC Prime, we are constantly developing our products that help cybersecurity practitioners to be in sync about the latest threats and attack methods as well as have detections and analytical data tailored to each corporate environment at their fingertips. For more transparency, the newly introduced Dashboard page allows getting a line on activities of […]

Read More
Detection Content: Finding DLLs Loaded Via MS Office

It’s no secret that phishing attacks are one of the most effective ways to infect the target with malware. Typically, adversaries expect to convince a user to open a malicious document and enable macros or use vulnerabilities in MS Office for deploy malware. We regularly publish rules (1, 2, 3) for detecting phishing campaigns or […]

Read More
Threat Hunting Content: Higaisa APT

Higaisa APT has been known since November 2019, when Tencent researchers first documented its activities. The group was discovered recently, but attackers have been operating for several years and use common tools to complicate the attribution. They mainly use mobile malware and the Gh0st and PlugX trojans. Researchers believe that Higaisa APT is a South […]

Read More
Rule of the Week: Command Execution on Azure VM

In the Rule of the Week section, we present you the Command Execution on Azure VM (via azureactivity) rule by SOC Prime Team: https://tdm.socprime.com/tdm/info/A5uYMlcWOmeq/RYxlfnIB1-hfOQirCXZy/?p=1#   Adversaries can misuse Azure VM functionality to establish a foothold in an environment, which could be used to persist access and escalate privileges. They can exploit the Run Command feature that […]

Read More
Threat Hunting Content: Devil Shadow Botnet

Nowadays, during the lockdown, many organizations continue to use Zoom at the corporate level to conduct conference meetings, despite the security issues found in this application. Attackers have been exploiting the increased popularity of this application for several months, and you can partially protect your organization from attacks by hardening Zoom service. But this will […]

Read More
Rule Digest: Detection Content by SOC Prime Team

We are pleased to present to you the latest Rule Digest, which, unlike the previous digest, consists of rules developed by the SOC Prime Team only. This is a kind of thematic selection since all of these rules helps to find malicious activity via cmdline by analyzing sysmon logs. But before moving directly to the […]

Read More
Detection Content: Scarab Ransomware

Scarab ransomware was spotted for the first time in June 2017 and had been reappearing with new versions since then. This ransomware is one of the many HiddenTear variants, an open source ransomware Trojan released in 2015.  The recently discovered versions of ransomware use an improved RSA encryption method and add various extensions to infected […]

Read More
IOC Sigma: GreenBug APT Group Activities

Greenbug APT is an Iranian-based cyber-espionage unit that has been active since at least June 2016. The group most likely uses spear-phishing attacks to compromise targeted organizations. Adversaries use multiple tools to compromise other systems on the network after an initial compromise, and steal user names and passwords from operating systems, email accounts, and web […]

Read More
Interview with Developer: Sreeman Shanker

Meet Sreeman, one of the most active participants of SOC Prime Threat Bounty Program. Sreeman has been participating in the Threat Bounty Program since December 2019. Before he started publishing his own developed content to Threat Detection Marketplace, Sreeman had contributed a bulk of changes and improvement to the existing TDM content translations for Azure […]

Read More
Interview with Developer: Emir Erdogan

We keep interviewing the members of the Threat Bounty Program  (https://my.socprime.com/en/tdm-developers), and today we want to introduce you to Emir Erdogan. Emir has been participating in the program since September 2019, he has 110+ Sigma rules published to his name, but Emir also publishes YARA rules to detect actual threats. His rules are often found […]

Read More