Threat Bounty Program Digest — July 2024 Results

July 2024 Results

Detection Content Creation, Submission & Release

Members of the Threat Bounty community continue to explore and leverage the potential of Uncoder AI to develop their practical detection engineering skills and monetize their own detection rules with the SOC Prime Platform.

In July, 37 new detections by Threat Bounty Program members were successfully released on the Threat Detection Marketplace. Also, the quality of the submitted detection content has improved, although many rules were rejected from release due to partial detection duplication with the already existing detection content. Another reason for denied publication is that the detection logic of the submitted rules could be easily bypassed in the organizations’ environments, thus, such rules cannot be accepted by SOC Prime for publication & monetization. 

If you are interested in creating your own detection rules with Uncoder AI and having your rules published on the SOC Prime Platform for monetization, these are the steps for you to follow:

  1. Apply to participate in the Threat Bounty Program. In the comments section of the application form, specify your professional expertise and experience.
  2. Once the SOC Prime Team reviews and approves your application, you will receive extended access to the Uncoder AI with the functionalities for Threat Bounty members.
  3. Set up a Custom Content Repository on the Platform. You will use this repo to store the rules you’ve created.
  4. Сreate, validate, save, and submit your own detection rules for review using Uncoder AI. This video guide provides more specific step-by-step instructions on working with detection rules with Uncoder AI. 
  5. When your detections are released on the SOC Prime Platform, check the Leaderboards to find the details.

Don’t hesitate to join SOC Prime’s Discord server for discussions. To receive access to the private channels for Threat Bounty members, please contact the server moderator. We encourage all members of the Threat Bounty Program to use Uncoder AI to develop their skills in creating detection rules and gain a deeper understanding of the peculiarities of threat detection in different formats. 

TOP Threat Bounty Detection Rules

The following five threat detection rules by Threat Bounty Program members were the most popular in July 2024:

Potential Exploitation of Input Validation Vulnerability in ServiceNow (CVE-2024-4879) — rule by Emir Erdogan. This rule identifies possible attempts to exploit the input validation vulnerability in ServiceNow via webserver logs.

Detection of Akira Ransomware Command Line Execution (via cmd line) — rule by Mise, based on REXor’s research. This rule detects specific command line execution patterns associated with Akira ransomware.

Possible Abusing Microsoft Bitlocker by Modifying Associated Registry Key (via registry_event) — the rule by Emre Ay detects possible attempts to modify the associated registry key, which allows abuse of Microsoft Bitlocker.

Possible Volcano Demon Ransomware (LukaLocker) Suspicious Activity (via commandLine) – rule by Emir Erdogan that identifies possible malicious activities, namely, service stop and restart computer activities of the Volcano Demon ransomware group with the help of commandline parameters.

Possible Remote Code Execution Attempts in GeoServer By Evaluating Property Name Expressions (CVE-2024-36401) – another rule by  Emir Erdogan that detects potential exploitation attempts of the GeoServer Unauthenticated Remote Code Execution vulnerability (CVE-2024-36401) via webserver logs.

Top Authors

Detection rules by these five members of the Threat Bounty Program gained the most attention in July:

Emir Erdogan

Sittikorn Sangrattanapitak

Nattatorn Chuensangarun

Davut Selcuk

Osman Demir

In July, Kyaw Pyiyt Htet received a Trusted Contributor badge for SOC Prime to recognize his contribution to detection rules on the SOC Prime Platform. We also had an insightful meeting with Kyaw Pyiyt Htet, during which he told us about his personal success and how his participation in the Threat Bounty Program helped him achieve new horizons in his career. 

Join the Threat Bounty Program to uplift your professional skills and develop your personal brand!

The post Threat Bounty Program Digest — July 2024 Results appeared first on SOC Prime.