SOC Prime Threat Bounty Digest — October 2024 Results

Threat Bounty Rules Releases

Welcome to the October results edition of our traditional Threat Bounty Monlty digest. 

Last month, our global community of cybersecurity professionals participating in crowdsourced detection engineering promptly addressed emerging cyber threats with actionable detection content. As a result, 81 new detection rules by Threat Bounty Program members were released on the SOC Prime Platform. 

Sadly, many rules didn’t pass the verification and, as a result, were not published on the Threat Detection Marketplace for monetization. If you are motivated to improve your Threat Bounty results and reputation and publish detections that not just get released but are in noticeably high demand within the companies who use the SOC Prime Platform, here is the list of resources to pay attention to:

Resources about Uncoder AI: 

Blog with detailed information on how to use Uncoder AI for Threat Bounty publications. You can also refer to this video demo as a manual.

Detailed step-by-step instructions on SOC Prime’s Help Center on how to submit detection rules for publication via the Threat Bounty Program. 

General user manuals and how-to guides on SOC Prime’s Help Center. They cover all functionalities of Uncoder AI, not only those that are available to the members of the Threat Bounty Program. 

Content quality and other requirements:

Guidelines and best practices for Threat Bounty members.

Requirements for Threat Bounty detection rules.

What Detection Rules were Popular in October?

Monetization of Threat Bounty detection rules exclusively depends on how useful and actionable content is considered by organizations leveraging the SOC Prime Platform. The real success of Threat Bounty detection rules and the authors’ professionalism is reflected in the popularity amongst organizations of different sizes, sectors, and countries. Here are five TOP October Threat Bounty detection rules:

Threat Hunting Sigma rule Suspicious Collection Activity of ‘CeranaKeeper New Chinese APT Group (WavyExfiller Python uploader)’ By Detection of WinRar CommandLine (via process_creation) by Aung Kyaw Min Naing detects the execution WinRAR commands to collect and archive data from the victim system using the WavyExfiller (A Python uploader) script by a new Chinese threat actor, CeranaKeeper group, which targets governmental institutions in Thailand.

Possible Detection of BruteRatel and Latrodectus Malware via rundll32.exe and DLL Loader Commands (via process_creation) by Davut Selcuk detects suspicious activity related to the BruteRatel and Latrodectus malware families, which leverage the rundll32.exe process to execute malicious DLLs. These malware variants often follow an infection chain involving JavaScript, MSI, and DLL files to establish persistence and evade detection.

Possible UAT-5647 Execution by Exfiltrating Data on Disk with RomCom Malware (via process_creation) by Nattatorn Chuensangarun detects suspicious UAT-5647 activity by deploying RomCom malware to steal data on the victim’s system.

Possible Detection of SmartLoader and LummaStealer Activity via Scheduled Task Creation for Malicious Persistence on Windows Systems (process_creation) by Davut Selcuk detects suspicious activity related to the deployment of SmartLoader and LummaStealer malware through the creation of scheduled tasks on Windows systems. 

Possible Detection of LummaStealer Persistence via Registry Modifications (via registry_event) by Davut Selcuk detects suspicious registry modifications associated with the LummaStealer malware, which has been deployed using the SmartLoader technique in ongoing campaigns.

TOP Content Authors

Traditionally, in this section of Threat Bounty Monthly Digest, we celebrate personal advancements in detection engineering and the contributions to collective cyber defense efforts. Meet five Threat Bounty rules authors who succeeded in demonstrating their expertise in addressing the most relevant cyber threats with their detection rules:

Davut Selcuk, who is also the first Threat Bounty member, was recognized as an Outstanding Contributor to the SOC Prime Platform. This means that this author achieved the milestone of 100 successful releases on his detection rules in 2024. 

Emir Erdogan

Osman Demir

Nattatorn Chuensangarun

Emre Ay

Also, it is worth noting that experienced and new members of the Threat Bounty Program who demonstrate practical skills using Uncoder AI as a co-pilot for detection engineering are awarded the digital credential Uncoder AI Professional.

Want to learn more about the program for crowdsourced detection engineering and gain recognition by contributing to global cyber defense? Join the Threat Bounty Program now!

The post SOC Prime Threat Bounty Digest — October 2024 Results appeared first on SOC Prime.