Documentation: Discussion of possible metadata entries for nursery rules

[ghost]

I took some time today to try and locate some techniques within the nursery being used in the wild, and relevant writeups to reference as well. I cannot guarantee they are all the most stellar examples (or even necessary for some rules) but I put emphasis on the general quality of their writeups, and I hope some will prove to be useful additions.

I have compiled 24 which I will post below with their SHA-256 hash.

[enumerate-browser-history.yml] https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target 24973014fa8174ffff190ae7967a65307a23d42386683dc672babd9c6cf1e5ee

[access-the-windows-event-log.yml] https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/ b035ca2d174e5e4fd2d66fd3c8ce4ae5c1e75cf3290af872d1adb2658852afb8

[check-for-process-debug-object.yml] https://blog.talosintelligence.com/2019/01/what-we-learned-by-unpacking-recent.html 3bc0ae9cd143920a55a4a53c61dd516ce5069f3d9453d2a08fc47273f29d1cf3

[connect-network-resource.yml] https://download.bitdefender.com/resources/files/News/CaseStudies/study/200/Bitdefender-Whitepaper-RADrat-crea2645-A4-en-EN-interactive.pdf 4786fa468111632ea66f03dfd868ca95fb91d4472b2c332d46d8444c19c75624

[decrypt-data-via-sspi.yml] https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf 2a51ef6d115daa648ddd57d1e4480f5a18daf40986bfde32aab19349aa010e67

[encode-data-using-base64-via-winapi.yml] https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/92000/KB92415/en_US/McAfee_Labs_Threat_Advisory_Maze.pdf b345697c16f84d3775924dc17847fa3ff61579ee793a95248e9c4964da586dd1

[encrypt-data-using-salsa20-or-chacha.yml] https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-matrix-report.pdf 13c0fd18c602dd6aa71d78072ad6617a1871cf24b366a12c8c3f2f278f301f5c

[encrypt-data-via-sspi.yml] https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf 2a51ef6d115daa648ddd57d1e4480f5a18daf40986bfde32aab19349aa010e67

[enumerate-browser-history.yml] https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target 24973014fa8174ffff190ae7967a65307a23d42386683dc672babd9c6cf1e5ee

[enumerate-graphical-windows.yml] https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4805-ccn-cert-id-09-20-guloader-english/file.html 5d91ff8d079c5d890da78adb8871e146749872911efe2ebf22cfd02c698ed33d

[enumerate-system-firmware-tables.yml] https://infosec.cert-pa.it/analyze/4a7b3ead2eff0b8dee43337a652084e5.pdf 8e37833af9c07877aa9a0fb9f1fe82f0fc0187d8ac4457714b12d2fb1204c384

[enumerate-threads.yml] https://vk-intel.org/2018/09/10/lets-learn-dissecting-dridex-banking-malware-part-1-loader-and-avast-snxk-dll-hooking-lib/ 916781bc62be8073748af7d1ca301f0ff27e6dd8069d859a003b6eb6a9c305a4

[get-comspec-environment-variable.yml] https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf 69530d78c86031ce32583c6800f5ffc629acacb18aac4c8bb5b0e915fc4cc4db

[get-file-size.yml] https://www.crowdstrike.com/blog/guloader-malware-analysis/ bfa5dba46db1253587058b0392c04c8403846fa55d7dcf1044e94e6a654d4715

[get-file-version-info.yml] https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf 2a51ef6d115daa648ddd57d1e4480f5a18daf40986bfde32aab19349aa010e67

[get-mac-address.yml] (Possibly for different use than what the rule outlines) https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/ 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

[get-routing-table.yml] https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2012/08/20083155/bencsathPBF11duqu.pdf f1ee026692c8458bdd698884183150eb2b898a576bc1d94668bf9e0ec1bb7507

[get-system-firmware-table.yml] https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot 9dd12d3a32d2ba133bac8747f872f649b389a9cf3f4baaa9fad69a43d2e4f982

[get-thread-local-storage-value.yml] https://vk-intel.org/2018/10/ 306e515018f3f43a8edd98f29097b8a340f48920c74e127994a7f164f7385684

[get-token-membership.yml] https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack ad6b1c258c45d7661ef929a5250a69f1a1c7898e90d782772671f3398cb875fb

[hash-data-with-md5.yml] https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/ 82f028e147471e6f8c8d283dbfaba3f5629eda458d818e1a4ddb8c9337fc0118

[hide-thread-from-debugger.yml] https://www.crowdstrike.com/blog/guloader-malware-analysis/ bfa5dba46db1253587058b0392c04c8403846fa55d7dcf1044e94e6a654d4715

[move-file.yml] https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de aa0cbe599839db940f6cc2f4ca1383dbb9937b8c7dd6460847c983523cd63c39

[packaged-as-a-nsis-installer.yml] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-families-use-nsis-installers-to-avoid-detection-analysis/ 1a06e44df2fcf39471b7604695f0fc81174874219d4226d27ef4453ae3c9614b

[re-fox]

This looks good. Also tied to https://github.com/fireeye/capa-rules/issues/55

[mr-tz]

Very cool, thank you @0x262D

[williballenthin]

looks like the user has since deleted their account :-(