From 153d4c0d2c61ebce6ea4e47d47c648dd1a80ebc9 Mon Sep 17 00:00:00 2001
From: ryan <ryanxu@wustl.edu>
Date: Wed, 21 Jun 2023 10:45:01 -0400
Subject: [PATCH] Update Mappings for MBC

---
 communication/http/reference-http-user-agent-string.yml         | 2 ++
 communication/socket/create-raw-socket.yml                      | 2 ++
 .../compression/compress-data-via-zlib-inflate-or-deflate.yml   | 2 ++
 host-interaction/process/inject/inject-apc.yml                  | 2 ++
 impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml  | 2 ++
 5 files changed, 10 insertions(+)

diff --git a/communication/http/reference-http-user-agent-string.yml b/communication/http/reference-http-user-agent-string.yml
index b277500c7..672dd614b 100644
--- a/communication/http/reference-http-user-agent-string.yml
+++ b/communication/http/reference-http-user-agent-string.yml
@@ -6,6 +6,8 @@ rule:
     authors:
       - "@mr-tz"
     scope: function
+    mbc:
+      - Communication::HTTP Communication [C0002]
     references:
       - https://www.useragents.me/
       - https://www.whatismybrowser.com/guides/the-latest-user-agent/
diff --git a/communication/socket/create-raw-socket.yml b/communication/socket/create-raw-socket.yml
index 8ffea01b2..4e5185b94 100644
--- a/communication/socket/create-raw-socket.yml
+++ b/communication/socket/create-raw-socket.yml
@@ -6,6 +6,8 @@ rule:
     authors:
       - blas.kojusner@mandiant.com
     scope: basic block
+    mbc:
+      - Communication::Socket Communication::Create Socket [C0001.003]
     references:
       - https://learn.microsoft.com/en-us/windows/win32/winsock/tcp-ip-raw-sockets-2
       - https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-socket
diff --git a/data-manipulation/compression/compress-data-via-zlib-inflate-or-deflate.yml b/data-manipulation/compression/compress-data-via-zlib-inflate-or-deflate.yml
index 71f7e8fd0..f6d36ea11 100644
--- a/data-manipulation/compression/compress-data-via-zlib-inflate-or-deflate.yml
+++ b/data-manipulation/compression/compress-data-via-zlib-inflate-or-deflate.yml
@@ -6,6 +6,8 @@ rule:
     authors:
       - blas.kojusner@mandiant.com
     scope: function
+    mbc:
+      - Data::Compress Data [C0024]
     references:
       - https://github.com/madler/zlib/blob/cacf7f1d4e3d44d871b605da3b647f07d718623f/inflate.c#L622
       - https://github.com/madler/zlib/blob/cacf7f1d4e3d44d871b605da3b647f07d718623f/deflate.c#L763
diff --git a/host-interaction/process/inject/inject-apc.yml b/host-interaction/process/inject/inject-apc.yml
index 6f803b9da..6ecff4e3f 100644
--- a/host-interaction/process/inject/inject-apc.yml
+++ b/host-interaction/process/inject/inject-apc.yml
@@ -7,6 +7,8 @@ rule:
     scope: function
     att&ck:
       - Defense Evasion::Process Injection::Asynchronous Procedure Call [T1055.004]
+    mbc:
+      - Defense Evasion::Process Injection::Asynchronous Procedure Call [E1055.004]
     examples:
       - al-khaser_x64.exe_:0x140019348
   features:
diff --git a/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml b/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml
index ec85963bd..7fd1819f7 100644
--- a/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml
+++ b/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml
@@ -7,6 +7,8 @@ rule:
     scope: function
     att&ck:
       - Impact::Disk Wipe::Disk Structure Wipe [T1561.002]
+    mbc:
+      - Impact::Disk Wipe [F0014]
     examples:
       - 39C05B15E9834AC93F206BC114D0A00C357C888DB567BA8F5345DA0529CBED41:0x100070A0
   features: