From 00bc1a169e632565e39d6c6fc443d484c7c3ae26 Mon Sep 17 00:00:00 2001
From: Moritz Raabe <moritz.raabe@fireeye.com>
Date: Thu, 1 Oct 2020 10:36:01 +0200
Subject: [PATCH] render mbc table

---
 capa/render/default.py | 57 ++++++++++++++++++++++++++++++++++++++++++
 rules                  |  2 +-
 2 files changed, 58 insertions(+), 1 deletion(-)

diff --git a/capa/render/default.py b/capa/render/default.py
index b374883e..6e813f7e 100644
--- a/capa/render/default.py
+++ b/capa/render/default.py
@@ -161,6 +161,61 @@ def render_attack(doc, ostream):
         ostream.write("\n")
 
 
+def render_mbc(doc, ostream):
+    """
+    example::
+
+        +--------------------------+------------------------------------------------------------+
+        | MBC Objective            | MBC Behavior                                               |
+        |--------------------------+------------------------------------------------------------|
+        | ANTI-BEHAVIORAL ANALYSIS | Virtual Machine Detection::Instruction Testing [B0009.029] |
+        | COLLECTION               | Keylogging::Polling [F0002.002]                            |
+        | COMMUNICATION            | Interprocess Communication::Create Pipe [C0003.001]        |
+        |                          | Interprocess Communication::Write Pipe [C0003.004]         |
+        | IMPACT                   | Remote Access::Reverse Shell [B0022.001]                   |
+        +--------------------------+------------------------------------------------------------+
+    """
+    objectives = collections.defaultdict(set)
+    for rule in rutils.capability_rules(doc):
+        if not rule["meta"].get("mbc"):
+            continue
+
+        for mbc in rule["meta"]["mbc"]:
+            objective, _, rest = mbc.partition("::")
+            if "::" in rest:
+                behavior, _, rest = rest.partition("::")
+                method, _, id = rest.rpartition(" ")
+                objectives[objective].add((behavior, method, id))
+            else:
+                behavior, _, id = rest.rpartition(" ")
+                objectives[objective].add((behavior, id))
+
+    rows = []
+    for objective, behaviors in sorted(objectives.items()):
+        inner_rows = []
+        for spec in sorted(behaviors):
+            if len(spec) == 2:
+                behavior, id = spec
+                inner_rows.append("%s %s" % (rutils.bold(behavior), id))
+            elif len(spec) == 3:
+                behavior, method, id = spec
+                inner_rows.append("%s::%s %s" % (rutils.bold(behavior), method, id))
+            else:
+                raise RuntimeError("unexpected MBC spec format")
+        rows.append(
+            (
+                rutils.bold(objective.upper()),
+                "\n".join(inner_rows),
+            )
+        )
+
+    if rows:
+        ostream.write(
+            tabulate.tabulate(rows, headers=[width("MBC Objective", 25), width("MBC Behavior", 75)], tablefmt="psql")
+        )
+        ostream.write("\n")
+
+
 def render_default(doc):
     ostream = rutils.StringIO()
 
@@ -168,6 +223,8 @@ def render_default(doc):
     ostream.write("\n")
     render_attack(doc, ostream)
     ostream.write("\n")
+    render_mbc(doc, ostream)
+    ostream.write("\n")
     render_capabilities(doc, ostream)
 
     return ostream.getvalue()
diff --git a/rules b/rules
index 1ac09299..648523d0 160000
--- a/rules
+++ b/rules
@@ -1 +1 @@
-Subproject commit 1ac09299fa62592a4620a34871d2abe5ab1dbb00
+Subproject commit 648523d0bba2a3751cbc4644b22cf624724f165b