Threat Bounty Content
We continue aligning the efforts with Threat Bounty Program members in enriching the SOC Prime Platform with actionable detection content for behavior detection rules. In today’s rapidly changing threat landscape, security professionals leveraging the SOC Prime Platform to defend their corporate environments rely upon SIEM content that is capable of detecting behavioral patterns and use Uncoder IA as an IDE for internal content development or ad-hoc parsing of IOCs into actionable SIEM or EDR specific queries.
In view of this, the requirements and the acceptance criteria for the Threat Bounty detections that are submitted for a change of monetization on the SOC Prime Platform serve as essential measures to ensure the quality of the submitted detection rules. For instance, strict standards for Threat Bounty rules acceptance are in place to ensure that the published Threat Bounty detections maintain efficiency and workability and provide continuous reliance on it within the operational environments of the companies leveraging the SOC Prime Platform.
TOP Threat Bounty Detection Rules
The following rules that were published to the SOC Prime Platform via the Threat Bounty Program gained the most interest among Platform users:
- Threat hunting Sigma rule Rhysida Ransomware (RaaS) Group Targets Latin American Government Institutions with Use of Associated Command Line Parameters (via process_creation) by Mehmet Kadir CIRIK. This rule detects suspicious command line parameters used by Rhysida Ransomware.
- Suspicious Registry Key Change of DarkGate Malware Activity (via registry_event) threat hunting Sigma rule by Davut Selcuk. This rule detects changes to registry keys associated with DarkGate, a loader with RAT capabilities sold as Malware-as-a-Service (MaaS).
- Suspicious LockBit 3.0 Ransomware Execution by Detection of Associated Commands (via cmdline) by Osman Demir. This threat-hunting Sigma rule detects possible LockBit 3.0 ransomware distributed while disguised as job application emails.
- Possible Remote System Discovery Activity on Linux by Detection of Associated Command (via process_creation) threat hunting Sigma by Emre Ay. This rule detects malicious behavior when adversaries attempt to display an ARP table for hosts sharing the same network segment on a Linux system.
- Suspicious Retrieve PlainText Secret Value From Azure KeyVault By Detection of Associated Command (via process_creation) threat hunting Sigma rule by Mustafa Gurkan KARAKAYA detects possible retrieve secret value from Azure keyvault as plaintext via associated command.
Top Authors
Detection rules created by these Threat Bounty content authors gained the most ratings based on the activities by Platform users leveraging Threat Detection Marketplace:
Would you like to become a Threat Bounty Program member and help companies worldwide defend against cyber threats with your own detection rules?
The post SOC Prime Threat Bounty Digest — November 2023 Results appeared first on SOC Prime.