Consolidate c2 and communication namespaces (mandiant#692)

* move c2 under communication * update namespace * reduce false positives
Bhairvi23 · Feb 7, 2023 · cad482b · cad482b
1 parent 695e1e4
commit cad482b
Show file tree

Hide file tree

Showing 11 changed files with 11 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -67,9 +67,8 @@ Namespaces are hierarchical, so the children of a namespace encodes its specific
 In a few words each, the top level namespaces are:
 
   - [anti-analysis](./anti-analysis/) - packing, obfuscation, anti-X, etc.
-  - [c2](./c2/) - commands that may be issued by a controller, such as interactive shell or file transfer
   - [collection](./collection/) - data that may be enumerated and collected for exfiltration
-  - [communication](./communication/) - HTTP, TCP, etc.
+  - [communication](./communication/) - HTTP, TCP, command and control (C2) traffic, etc.
   - [compiler](./compiler/) - detection of build environments, such as MSVC, Delphi, or AutoIT
   - [data-manipulation](./data-manipulation/) - encryption, hashing, etc.
   - [executable](./executable/) - characteristics of the executable, such as PE sections or debug info

diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-qemu.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-qemu.yml
@@ -18,4 +18,4 @@ rule:
       - string: /Qemu/i
       - string: /qemu-ga.exe/i
       - string: /BOCHS/i
-      - string: /BXPC/i
+      - string: /^BXPC/i
diff --git a/...le-transfer/download-and-write-a-file.yml → ...le-transfer/download-and-write-a-file.yml b/...le-transfer/download-and-write-a-file.yml → ...le-transfer/download-and-write-a-file.yml
@@ -1,7 +1,7 @@
 rule:
   meta:
     name: download and write a file
-    namespace: c2/file-transfer
+    namespace: communication/c2/file-transfer
     maec/malware-category: downloader
     authors:
       - [email protected]

diff --git a/...ile-transfer/write-and-execute-a-file.yml → ...ile-transfer/write-and-execute-a-file.yml b/...ile-transfer/write-and-execute-a-file.yml → ...ile-transfer/write-and-execute-a-file.yml
@@ -1,7 +1,7 @@
 rule:
   meta:
     name: write and execute a file
-    namespace: c2/file-transfer
+    namespace: communication/c2/file-transfer
     maec/malware-category: launcher
     authors:
       - [email protected]

diff --git a/c2/shell/create-reverse-shell-on-linux.yml → ...2/shell/create-reverse-shell-on-linux.yml b/c2/shell/create-reverse-shell-on-linux.yml → ...2/shell/create-reverse-shell-on-linux.yml
@@ -1,7 +1,7 @@
 rule:
   meta:
     name: create reverse shell on Linux
-    namespace: c2/shell
+    namespace: communication/c2/shell
     authors:
       - [email protected]
     scope: function

diff --git a/c2/shell/create-reverse-shell.yml → ...ication/c2/shell/create-reverse-shell.yml b/c2/shell/create-reverse-shell.yml → ...ication/c2/shell/create-reverse-shell.yml
@@ -1,7 +1,7 @@
 rule:
   meta:
     name: create reverse shell
-    namespace: c2/shell
+    namespace: communication/c2/shell
     authors:
       - [email protected]
     scope: function

diff --git a/...cute-shell-command-and-capture-output.yml → ...cute-shell-command-and-capture-output.yml b/...cute-shell-command-and-capture-output.yml → ...cute-shell-command-and-capture-output.yml
@@ -1,7 +1,7 @@
 rule:
   meta:
     name: execute shell command and capture output
-    namespace: c2/shell
+    namespace: communication/c2/shell
     authors:
       - [email protected]
     scope: function

diff --git a/...command-received-from-socket-on-linux.yml → ...command-received-from-socket-on-linux.yml b/...command-received-from-socket-on-linux.yml → ...command-received-from-socket-on-linux.yml
@@ -1,7 +1,7 @@
 rule:
   meta:
     name: execute shell command received from socket on Linux
-    namespace: c2/shell
+    namespace: communication/c2/shell
     authors:
       - [email protected]
     scope: function

diff --git a/doc/format.md b/doc/format.md
@@ -201,9 +201,8 @@ Namespaces are hierarchical, so the children of a namespace encodes its specific
 In a few words each, the top level namespaces are:
 
   - [anti-analysis](https://github.com/mandiant/capa-rules/tree/master/anti-analysis/) - packing, obfuscation, anti-X, etc.
-  - [c2](https://github.com/mandiant/capa-rules/tree/master/c2/) - commands that may be issued by a controller, such as interactive shell or file transfer
   - [collection](https://github.com/mandiant/capa-rules/tree/master/collection/) - data that may be enumerated and collected for exfiltration
-  - [communication](https://github.com/mandiant/capa-rules/tree/master/communication/) - HTTP, TCP, etc.
+  - [communication](https://github.com/mandiant/capa-rules/tree/master/communication/) - HTTP, TCP, command and control (C2) traffic, etc.
   - [compiler](https://github.com/mandiant/capa-rules/tree/master/compiler/) - detection of build environments, such as MSVC, Delphi, or AutoIT
   - [data-manipulation](https://github.com/mandiant/capa-rules/tree/master/data-manipulation/) - encryption, hashing, etc.
   - [executable](https://github.com/mandiant/capa-rules/tree/master/executable/) - characteristics of the executable, such as PE sections or debug info

diff --git a/nursery/read-and-send-data-from-client-to-server.yml b/nursery/read-and-send-data-from-client-to-server.yml
@@ -1,7 +1,7 @@
 rule:
   meta:
     name: read and send data from client to server
-    namespace: c2/file-transfer
+    namespace: communication/c2/file-transfer
     authors:
       - [email protected]
     scope: function

diff --git a/nursery/receive-and-write-data-from-server-to-client.yml b/nursery/receive-and-write-data-from-server-to-client.yml
@@ -1,7 +1,7 @@
 rule:
   meta:
     name: receive and write data from server to client
-    namespace: c2/file-transfer
+    namespace: communication/c2/file-transfer
     authors:
       - [email protected]
     scope: function