From fdc8eb9c4ca8dc4a2b18f33a6030ad875eeed3b2 Mon Sep 17 00:00:00 2001
From: akshat4703 <akshat4703@gmail.com>
Date: Sat, 14 Mar 2026 17:07:55 +0530
Subject: [PATCH 1/2] rules: add nursery rule for shellcode execution via
 ReadDirectoryChanges

---
 ...ute-shellcode-via-readdirectorychanges.yml | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 nursery/execute-shellcode-via-readdirectorychanges.yml

diff --git a/nursery/execute-shellcode-via-readdirectorychanges.yml b/nursery/execute-shellcode-via-readdirectorychanges.yml
new file mode 100644
index 000000000..4ed104f8b
--- /dev/null
+++ b/nursery/execute-shellcode-via-readdirectorychanges.yml
@@ -0,0 +1,31 @@
+rule:
+  meta:
+    name: execute shellcode via ReadDirectoryChanges
+    namespace: load-code/shellcode
+    authors:
+      - akshatpal@users.noreply.github.com
+    description: detect execution of arbitrary shellcode via ReadDirectoryChanges completion routines
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Defense Evasion::Reflective Code Loading [T1620]
+    mbc:
+      - Defense Evasion::Hijack Execution Flow::Abuse Windows Function Calls [F0015.006]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-readdirectorychangesw
+      - https://learn.microsoft.com/en-us/windows/win32/api/minwinbase/nc-minwinbase-lpoverlapped_completion_routine
+  features:
+    - and:
+      - match: allocate or change RWX memory
+      - or:
+        - api: ReadDirectoryChangesW
+        - api: ReadDirectoryChangesExW
+      - or:
+        - api: SleepEx
+        - api: WaitForSingleObjectEx
+        - api: WaitForMultipleObjectsEx
+      - optional:
+        - or:
+          - api: CreateFileA
+          - api: CreateFileW

From e381e6f3b67b906c942d61fc7a0c202b4bd5bb4c Mon Sep 17 00:00:00 2001
From: akshat4703 <akshat4703@gmail.com>
Date: Thu, 19 Mar 2026 22:18:47 +0530
Subject: [PATCH 2/2] requested-changes

---
 nursery/execute-shellcode-via-readdirectorychanges.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/nursery/execute-shellcode-via-readdirectorychanges.yml b/nursery/execute-shellcode-via-readdirectorychanges.yml
index 4ed104f8b..a8de0dd0b 100644
--- a/nursery/execute-shellcode-via-readdirectorychanges.yml
+++ b/nursery/execute-shellcode-via-readdirectorychanges.yml
@@ -19,13 +19,11 @@ rule:
     - and:
       - match: allocate or change RWX memory
       - or:
-        - api: ReadDirectoryChangesW
-        - api: ReadDirectoryChangesExW
+        - api: ReadDirectoryChanges
+        - api: ReadDirectoryChangesEx
       - or:
         - api: SleepEx
         - api: WaitForSingleObjectEx
         - api: WaitForMultipleObjectsEx
       - optional:
-        - or:
-          - api: CreateFileA
-          - api: CreateFileW
+        - api: CreateFile