December ‘22 Publications
During the last month of the year 2022, Threat Bounty developers managed to submit 441 rules to review by SOC Prime Team for a chance of publication to the Platform for monetization. The submitted rules were reviewed by a team of seasoned engineers, and based on the collective decisions, 126 rules were released to the SOC Prime Platform in December 2022.
Traditionally, the most common reasons for rejecting content publication were issues in the detection logic, the full or partial similarity with existing detections, and Sigma rules with poor detection value. The feedback of the verification team is communicated to the content authors; however, the Threat Bounty developers are strongly recommended and encouraged to research for the existing detections and best industry practices to the maximum of their ability and pay attention to the SOC Prime recommendations, for example:
SIGMA Rules: The Beginner’s Guide
Security Talks with SOC Prime: All About SIGMA
SIGMA vs Indicators of Compromise
SOC Prime webinar: Data Sources
Security Talks with SOC Prime: Ideas for detections, from hypothesis to hunt
Top-Rated Content
The following threat detection rules gained the most interest and interactions with the detection by SOC Prime users during December:
Possible AppleJeus Malware (Lazarus APT) Execution by Detection of Associated Files [Targeting Cryptocurrency Users] (via file_event) threat hunting Sigma by Wirapong Petshagun detects file creation events related to AppleJeus Malware that is used by Lazarus APT in the new campaign that delivers the malware via fake cryptocurrency applications.
Possible Black-Basta Attack [QakBot] (November 2022) Lateral Movement Activity By Detection of Associated Process (via process_creation) threat hunting Sigma rule by Zaw Min Htun detects executing Cobalt Strike payload with the rundll32.exe SetVolume commands by Black-Basta leveraging Qakbot in a widespread campaign.
Suspicious Aggressive Qakbot Campaign Execution by Detection of Associated Commands [Targeting U.S. Companies] (via powershell) threat hunting Sigma rule by Osman Demir detects possible aggressive qbot campaign where PowerShell is used to query information against Active Directory Domain Services.
Possible TA542/Emotet Malware Execution by Loading Bumblebee Malware with DLL Files (via process_creation) threat hunting Sigma rule by Nattatorn Chuensangarun detects a suspicious rundll command argument to load a malicious function in the bumblebee malware used by TA542 in the recent attack.
Possible Emotet Malware Execution by Deploying AnyDesk via Using MeshCentral ( via process_creation) threat hunting Sigma rule by Emre Ay detects one of the suspicious Emotet malware activities by deploying AnyDesk, which is installed by using MeshCentral.
Top Authors
The Threat Bounty detections published by these authors gained the most rating on Threat Detection Marketplace:
The average Threat Bounty reward payout for December is $1,488.
Don’t hesitate to join SOC Prime Threat Bounty Program and monetize on your constantly improved detection engineering skills and contribute to the world’s cyber security.
The post SOC Prime Threat Bounty — December 2022 Results appeared first on SOC Prime.
Leer másSOC Prime