From cad482b294d88998562d395ede6ced9813bff2c1 Mon Sep 17 00:00:00 2001
From: Moritz <mr-tz@users.noreply.github.com>
Date: Tue, 7 Feb 2023 15:49:08 +0100
Subject: [PATCH] Consolidate c2 and communication namespaces (#692)

* move c2 under communication

* update namespace

* reduce false positives
---
 README.md                                                      | 3 +--
 .../vm-detection/reference-anti-vm-strings-targeting-qemu.yml  | 2 +-
 .../c2}/file-transfer/download-and-write-a-file.yml            | 2 +-
 .../c2}/file-transfer/write-and-execute-a-file.yml             | 2 +-
 .../c2}/shell/create-reverse-shell-on-linux.yml                | 2 +-
 {c2 => communication/c2}/shell/create-reverse-shell.yml        | 2 +-
 .../c2}/shell/execute-shell-command-and-capture-output.yml     | 2 +-
 .../execute-shell-command-received-from-socket-on-linux.yml    | 2 +-
 doc/format.md                                                  | 3 +--
 nursery/read-and-send-data-from-client-to-server.yml           | 2 +-
 nursery/receive-and-write-data-from-server-to-client.yml       | 2 +-
 11 files changed, 11 insertions(+), 13 deletions(-)
 rename {c2 => communication/c2}/file-transfer/download-and-write-a-file.yml (91%)
 rename {c2 => communication/c2}/file-transfer/write-and-execute-a-file.yml (90%)
 rename {c2 => communication/c2}/shell/create-reverse-shell-on-linux.yml (92%)
 rename {c2 => communication/c2}/shell/create-reverse-shell.yml (95%)
 rename {c2 => communication/c2}/shell/execute-shell-command-and-capture-output.yml (96%)
 rename {c2 => communication/c2}/shell/execute-shell-command-received-from-socket-on-linux.yml (91%)

diff --git a/README.md b/README.md
index 913691a2a..68a029d6d 100644
--- a/README.md
+++ b/README.md
@@ -67,9 +67,8 @@ Namespaces are hierarchical, so the children of a namespace encodes its specific
 In a few words each, the top level namespaces are:
 
   - [anti-analysis](./anti-analysis/) - packing, obfuscation, anti-X, etc.
-  - [c2](./c2/) - commands that may be issued by a controller, such as interactive shell or file transfer
   - [collection](./collection/) - data that may be enumerated and collected for exfiltration
-  - [communication](./communication/) - HTTP, TCP, etc.
+  - [communication](./communication/) - HTTP, TCP, command and control (C2) traffic, etc.
   - [compiler](./compiler/) - detection of build environments, such as MSVC, Delphi, or AutoIT
   - [data-manipulation](./data-manipulation/) - encryption, hashing, etc.
   - [executable](./executable/) - characteristics of the executable, such as PE sections or debug info
diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-qemu.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-qemu.yml
index 20ef5927d..c9ebbf58c 100644
--- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-qemu.yml
+++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-qemu.yml
@@ -18,4 +18,4 @@ rule:
       - string: /Qemu/i
       - string: /qemu-ga.exe/i
       - string: /BOCHS/i
-      - string: /BXPC/i
+      - string: /^BXPC/i
diff --git a/c2/file-transfer/download-and-write-a-file.yml b/communication/c2/file-transfer/download-and-write-a-file.yml
similarity index 91%
rename from c2/file-transfer/download-and-write-a-file.yml
rename to communication/c2/file-transfer/download-and-write-a-file.yml
index 6c35a86ea..f78cc532a 100644
--- a/c2/file-transfer/download-and-write-a-file.yml
+++ b/communication/c2/file-transfer/download-and-write-a-file.yml
@@ -1,7 +1,7 @@
 rule:
   meta:
     name: download and write a file
-    namespace: c2/file-transfer
+    namespace: communication/c2/file-transfer
     maec/malware-category: downloader
     authors:
       - moritz.raabe@mandiant.com
diff --git a/c2/file-transfer/write-and-execute-a-file.yml b/communication/c2/file-transfer/write-and-execute-a-file.yml
similarity index 90%
rename from c2/file-transfer/write-and-execute-a-file.yml
rename to communication/c2/file-transfer/write-and-execute-a-file.yml
index c9fd51678..aed75a191 100644
--- a/c2/file-transfer/write-and-execute-a-file.yml
+++ b/communication/c2/file-transfer/write-and-execute-a-file.yml
@@ -1,7 +1,7 @@
 rule:
   meta:
     name: write and execute a file
-    namespace: c2/file-transfer
+    namespace: communication/c2/file-transfer
     maec/malware-category: launcher
     authors:
       - moritz.raabe@mandiant.com
diff --git a/c2/shell/create-reverse-shell-on-linux.yml b/communication/c2/shell/create-reverse-shell-on-linux.yml
similarity index 92%
rename from c2/shell/create-reverse-shell-on-linux.yml
rename to communication/c2/shell/create-reverse-shell-on-linux.yml
index 5e1de9cad..0ed07655f 100644
--- a/c2/shell/create-reverse-shell-on-linux.yml
+++ b/communication/c2/shell/create-reverse-shell-on-linux.yml
@@ -1,7 +1,7 @@
 rule:
   meta:
     name: create reverse shell on Linux
-    namespace: c2/shell
+    namespace: communication/c2/shell
     authors:
       - joakim@intezer.com
     scope: function
diff --git a/c2/shell/create-reverse-shell.yml b/communication/c2/shell/create-reverse-shell.yml
similarity index 95%
rename from c2/shell/create-reverse-shell.yml
rename to communication/c2/shell/create-reverse-shell.yml
index acc199a56..a6748b36e 100644
--- a/c2/shell/create-reverse-shell.yml
+++ b/communication/c2/shell/create-reverse-shell.yml
@@ -1,7 +1,7 @@
 rule:
   meta:
     name: create reverse shell
-    namespace: c2/shell
+    namespace: communication/c2/shell
     authors:
       - moritz.raabe@mandiant.com
     scope: function
diff --git a/c2/shell/execute-shell-command-and-capture-output.yml b/communication/c2/shell/execute-shell-command-and-capture-output.yml
similarity index 96%
rename from c2/shell/execute-shell-command-and-capture-output.yml
rename to communication/c2/shell/execute-shell-command-and-capture-output.yml
index 80bf80660..1653efcaf 100644
--- a/c2/shell/execute-shell-command-and-capture-output.yml
+++ b/communication/c2/shell/execute-shell-command-and-capture-output.yml
@@ -1,7 +1,7 @@
 rule:
   meta:
     name: execute shell command and capture output
-    namespace: c2/shell
+    namespace: communication/c2/shell
     authors:
       - matthew.williams@mandiant.com
     scope: function
diff --git a/c2/shell/execute-shell-command-received-from-socket-on-linux.yml b/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml
similarity index 91%
rename from c2/shell/execute-shell-command-received-from-socket-on-linux.yml
rename to communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml
index 10119e5ae..f8b7688ed 100644
--- a/c2/shell/execute-shell-command-received-from-socket-on-linux.yml
+++ b/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml
@@ -1,7 +1,7 @@
 rule:
   meta:
     name: execute shell command received from socket on Linux
-    namespace: c2/shell
+    namespace: communication/c2/shell
     authors:
       - joakim@intezer.com
     scope: function
diff --git a/doc/format.md b/doc/format.md
index 61905743d..4c7c4ecf5 100644
--- a/doc/format.md
+++ b/doc/format.md
@@ -201,9 +201,8 @@ Namespaces are hierarchical, so the children of a namespace encodes its specific
 In a few words each, the top level namespaces are:
 
   - [anti-analysis](https://github.com/mandiant/capa-rules/tree/master/anti-analysis/) - packing, obfuscation, anti-X, etc.
-  - [c2](https://github.com/mandiant/capa-rules/tree/master/c2/) - commands that may be issued by a controller, such as interactive shell or file transfer
   - [collection](https://github.com/mandiant/capa-rules/tree/master/collection/) - data that may be enumerated and collected for exfiltration
-  - [communication](https://github.com/mandiant/capa-rules/tree/master/communication/) - HTTP, TCP, etc.
+  - [communication](https://github.com/mandiant/capa-rules/tree/master/communication/) - HTTP, TCP, command and control (C2) traffic, etc.
   - [compiler](https://github.com/mandiant/capa-rules/tree/master/compiler/) - detection of build environments, such as MSVC, Delphi, or AutoIT
   - [data-manipulation](https://github.com/mandiant/capa-rules/tree/master/data-manipulation/) - encryption, hashing, etc.
   - [executable](https://github.com/mandiant/capa-rules/tree/master/executable/) - characteristics of the executable, such as PE sections or debug info
diff --git a/nursery/read-and-send-data-from-client-to-server.yml b/nursery/read-and-send-data-from-client-to-server.yml
index cd5318a7a..7b2d870b7 100644
--- a/nursery/read-and-send-data-from-client-to-server.yml
+++ b/nursery/read-and-send-data-from-client-to-server.yml
@@ -1,7 +1,7 @@
 rule:
   meta:
     name: read and send data from client to server
-    namespace: c2/file-transfer
+    namespace: communication/c2/file-transfer
     authors:
       - william.ballenthin@mandiant.com
     scope: function
diff --git a/nursery/receive-and-write-data-from-server-to-client.yml b/nursery/receive-and-write-data-from-server-to-client.yml
index 2d8ecd2a5..09e72dbbc 100644
--- a/nursery/receive-and-write-data-from-server-to-client.yml
+++ b/nursery/receive-and-write-data-from-server-to-client.yml
@@ -1,7 +1,7 @@
 rule:
   meta:
     name: receive and write data from server to client
-    namespace: c2/file-transfer
+    namespace: communication/c2/file-transfer
     authors:
       - william.ballenthin@mandiant.com
     scope: function