rules: apply rule reorganization

[williballenthin]

migration applied by using script in mandiant/capa#25
migration plan: migration.csv.txt

top level namespaces:

(env2) user@hostname ~/c/capa-rules> ls -1                               
anti-analysis
c2
collection
communication
compiler
data-manipulation
executable
host-interaction
impact
linking
load-code
persistence
runtime
targeting

[williballenthin]

namespace structure:

(env2) user@hostname ~/c/capa-rules> tree                                                                            rule-organization?
.
├── anti-analysis
│   ├── anti-debugging
│   │   └── debugger-detection
│   │       ├── check-for-outputdebugstring-error.yml
│   │       ├── check-for-peb-beingdebugged-flag.yml
│   │       ├── check-for-peb-ntglobalflag-flag.yml
│   │       ├── check-for-time-delay-via-gettickcount.yml
│   │       ├── check-for-time-delay-via-queryperformancecounter.yml
│   │       └── execute-anti-debugging-instructions.yml
│   ├── anti-forensic
│   │   ├── self-deletion
│   │   │   └── self-delete-via-comspec-environment-variable.yml
│   │   └── timestomp
│   │       └── timestomp-file.yml
│   ├── anti-vm
│   │   └── vm-detection
│   │       ├── execute-anti-vm-instructions.yml
│   │       ├── reference-anti-vm-strings.yml
│   │       ├── reference-processor-manufacturer-constants.yml
│   │       └── reference-the-vmware-io-port.yml
│   ├── obfuscation
│   │   └── string
│   │       └── stackstring
│   │           └── contain-obfuscated-stackstrings.yml
│   └── packer
│       ├── confuser
│       │   └── packed-with-confuser.yml
│       ├── generic
│       │   └── packed-with-generic-packer.yml
│       ├── upx
│       │   └── packed-with-upx.yml
│       └── vmprotect
│           └── packed-with-vmprotect.yml
├── c2
│   ├── file-transfer
│   │   ├── read-and-send-data-from-client-to-server.yml
│   │   └── receive-and-write-data-from-server-to-client.yml
│   └── shell
│       └── create-reverse-shell.yml
├── collection
│   ├── credit-card
│   │   └── search-for-credit-card-data.yml
│   ├── database
│   │   └── sql
│   │       └── reference-sql-statements.yml
│   ├── keylog
│   │   ├── log-keystrokes-via-application-hook.yml
│   │   ├── log-keystrokes-via-polling.yml
│   │   └── log-keystrokes.yml
│   └── screenshot
│       └── capture-screenshot.yml
├── communication
│   ├── ftp
│   │   └── send
│   │       └── send-file-using-ftp-via-wininet.yml
│   ├── http
│   │   ├── client
│   │   │   ├── connect-to-http-server.yml
│   │   │   ├── connect-to-url.yml
│   │   │   ├── create-http-request.yml
│   │   │   ├── decompress-http-response-via-iencodingfilterfactory.yml
│   │   │   ├── download-url-to-file.yml
│   │   │   ├── extract-http-body.yml
│   │   │   ├── get-http-document-via-iwebbrowser2.yml
│   │   │   ├── get-http-response-content-encoding.yml
│   │   │   ├── prepare-http-request.yml
│   │   │   ├── read-data-from-internet.yml
│   │   │   ├── receive-http-response.yml
│   │   │   ├── send-file-via-http.yml
│   │   │   └── send-http-request.yml
│   │   ├── connect-network-resource.yml
│   │   ├── initialize-iwebbrowser2.yml
│   │   ├── initialize-winhttp-library.yml
│   │   ├── read-http-header.yml
│   │   ├── send-http-request-with-host-header.yml
│   │   ├── server
│   │   │   ├── receive-http-request.yml
│   │   │   ├── send-http-response.yml
│   │   │   └── start-http-server.yml
│   │   └── set-http-header.yml
│   ├── named-pipe
│   │   ├── connect
│   │   │   └── connect-pipe.yml
│   │   ├── create
│   │   │   └── create-pipe.yml
│   │   ├── read
│   │   │   └── read-pipe.yml
│   │   └── write
│   │       └── write-pipe.yml
│   ├── receive-data.yml
│   ├── send-data.yml
│   ├── socket
│   │   ├── get-socket-status.yml
│   │   ├── initialize-winsock-library.yml
│   │   ├── receive
│   │   │   └── receive-data-on-socket.yml
│   │   ├── send
│   │   │   └── send-data-on-socket.yml
│   │   ├── set-socket-configuration.yml
│   │   ├── tcp
│   │   │   ├── connect-tcp-socket.yml
│   │   │   ├── create-tcp-socket.yml
│   │   │   └── send
│   │   │       └── send-tcp-data-via-wfp-api.yml
│   │   └── udp
│   │       └── send
│   │           └── create-udp-socket.yml
│   └── tcp
│       ├── client
│       │   └── act-as-tcp-client.yml
│       └── serve
│           └── start-tcp-server.yml
├── compiler
│   ├── autoit
│   │   └── compiled-with-autoit.yml
│   ├── delphi
│   │   └── compiled-with-borland-delphi.yml
│   └── mingw
│       └── compiled-with-mingw-for-windows.yml
├── data-manipulation
│   ├── checksum
│   │   └── crc32
│   │       ├── hash-data-using-crc32b.yml
│   │       └── hash-data-with-crc32.yml
│   ├── compression
│   │   ├── compress-data-via-winapi.yml
│   │   └── decompress-data-via-iencodingfilterfactory.yml
│   ├── encoding
│   │   ├── base64
│   │   │   ├── encode-data-using-base64-via-winapi.yml
│   │   │   ├── encode-data-using-base64.yml
│   │   │   └── reference-base64-string.yml
│   │   └── xor
│   │       └── encode-data-using-xor.yml
│   ├── encryption
│   │   ├── aes
│   │   │   ├── decrypt-data-using-aes-via-x86-extensions.yml
│   │   │   ├── encrypt-data-using-aes-via-.net.yml
│   │   │   ├── encrypt-data-using-aes-via-winapi.yml
│   │   │   ├── encrypt-data-using-aes-via-x86-extensions.yml
│   │   │   └── reference-aes-constants.yml
│   │   ├── dpapi
│   │   │   └── encrypt-data-using-dpapi.yml
│   │   ├── encrypt-or-decrypt-via-wincrypt.yml
│   │   ├── rc4
│   │   │   ├── encrypt-data-using-rc4-ksa.yml
│   │   │   ├── encrypt-data-using-rc4-prga.yml
│   │   │   └── encrypt-data-using-rc4-via-winapi.yml
│   │   ├── rc6
│   │   │   └── encrypt-data-using-rc6.yml
│   │   └── salsa20
│   │       └── encrypt-data-using-salsa20-or-chacha.yml
│   ├── hashing
│   │   ├── initialize-hashing-via-wincrypt.yml
│   │   ├── md5
│   │   │   └── hash-data-with-md5.yml
│   │   ├── sha1
│   │   │   ├── hash-data-using-sha1-via-wincrypt.yml
│   │   │   └── hash-data-using-sha1.yml
│   │   ├── sha224
│   │   │   └── hash-data-using-sha224.yml
│   │   └── sha256
│   │       └── hash-data-using-sha256.yml
│   └── prng
│       └── mersenne
│           └── generate-random-numbers-using-a-mersenne-twister.yml
├── executable
│   ├── installer
│   │   ├── installshield
│   │   │   └── packaged-as-an-installshield-installer.yml
│   │   ├── nsis
│   │   │   └── packaged-as-a-nsis-installer.yml
│   │   └── wiseinstall
│   │       └── packaged-as-a-wise-installer.yml
│   ├── pe
│   │   ├── debug
│   │   │   └── debug-build.yml
│   │   ├── pdb
│   │   │   └── contains-pdb-path.yml
│   │   ├── run-as-a-service.yml
│   │   └── section
│   │       ├── rsrc
│   │       │   └── contain-a-resource-.rsrc-section.yml
│   │       └── tls
│   │           └── contain-a-thread-local-storage-.tls-section.yml
│   ├── resource
│   │   └── extract-resource-via-kernel32-functions.yml
│   └── subfile
│       └── pe
│           └── contain-an-embedded-pe-file.yml
├── host-interaction
│   ├── browser
│   │   └── history
│   │       └── list
│   │           └── enumerate-browser-history.yml
│   ├── cli
│   │   └── accept-command-line-arguments.yml
│   ├── clipboard
│   │   ├── open-clipboard.yml
│   │   ├── read-clipboard-data.yml
│   │   ├── replace-clipboard-data.yml
│   │   └── write-clipboard-data.yml
│   ├── driver
│   │   ├── install-driver.yml
│   │   └── interact-with-driver-via-control-codes.yml
│   ├── environment-variable
│   │   ├── query-environment-variable.yml
│   │   └── set-environment-variable.yml
│   ├── file-system
│   │   ├── copy
│   │   │   └── copy-file.yml
│   │   ├── create
│   │   │   └── create-directory.yml
│   │   ├── delete
│   │   │   ├── delete-directory.yml
│   │   │   └── delete-file.yml
│   │   ├── exists
│   │   │   └── check-if-file-exists.yml
│   │   ├── files
│   │   │   └── list
│   │   │       ├── enumerate-files-via-kernel32-functions.yml
│   │   │       └── enumerate-files-via-ntdll-functions.yml
│   │   ├── get-common-file-path.yml
│   │   ├── get-program-files-directory.yml
│   │   ├── meta
│   │   │   ├── get-file-size.yml
│   │   │   ├── get-file-version-info.yml
│   │   │   └── set-file-attributes.yml
│   │   ├── move
│   │   │   └── move-file.yml
│   │   ├── read
│   │   │   ├── read-file-via-mapping.yml
│   │   │   └── read-file.yml
│   │   ├── read-raw-disk-data.yml
│   │   ├── windows-file-protection
│   │   │   └── bypass-windows-file-protection.yml
│   │   └── write
│   │       ├── create-shortcut-via-ishelllink.yml
│   │       └── write-file.yml
│   ├── firewall
│   │   └── modify
│   │       └── access-firewall-settings-via-inetfwmgr.yml
│   ├── gui
│   │   ├── session
│   │   │   └── lock
│   │   │       └── lock-the-desktop.yml
│   │   ├── set-application-hook.yml
│   │   ├── set-global-application-hook.yml
│   │   ├── taskbar
│   │   │   ├── find
│   │   │   │   └── find-taskbar.yml
│   │   │   └── hide
│   │   │       └── hide-the-windows-taskbar.yml
│   │   └── window
│   │       ├── find
│   │       │   ├── enumerate-graphical-windows.yml
│   │       │   └── find-graphical-window.yml
│   │       └── get-text
│   │           └── get-graphical-window-text.yml
│   ├── hardware
│   │   ├── cdrom
│   │   │   └── manipulate-cd-rom-drive.yml
│   │   ├── cpu
│   │   │   └── get-cpu-information.yml
│   │   ├── keyboard
│   │   │   └── layout
│   │   │       └── get-keyboard-layout.yml
│   │   ├── memory
│   │   │   └── get-memory-capacity.yml
│   │   ├── mouse
│   │   │   └── swap-mouse-buttons.yml
│   │   └── storage
│   │       ├── enumerate-disk-volumes.yml
│   │       └── get-disk-information.yml
│   ├── log
│   │   ├── debug
│   │   │   └── write-event
│   │   │       └── print-debug-messages.yml
│   │   └── winevt
│   │       └── access
│   │           └── access-the-windows-event-log.yml
│   ├── mutex
│   │   ├── check-mutex.yml
│   │   └── create-mutex.yml
│   ├── network
│   │   ├── address
│   │   │   └── get-local-ipv4-addresses.yml
│   │   ├── connectivity
│   │   │   └── get-internet-connection-state.yml
│   │   ├── dns
│   │   │   └── resolve
│   │   │       └── resolve-dns.yml
│   │   ├── get-networking-parameters.yml
│   │   ├── interface
│   │   │   └── get-networking-interfaces.yml
│   │   ├── mac-address
│   │   │   └── get-mac-address.yml
│   │   ├── proxy
│   │   │   └── get-proxy.yml
│   │   ├── routing-table
│   │   │   └── get-routing-table.yml
│   │   └── traffic
│   │       ├── copy
│   │       │   └── copy-network-traffic.yml
│   │       └── filter
│   │           └── register-network-filter-via-wfp-api.yml
│   ├── os
│   │   ├── hostname
│   │   │   └── get-hostname.yml
│   │   ├── info
│   │   │   └── get-system-information.yml
│   │   ├── shutdown-system.yml
│   │   └── version
│   │       └── get-os-version.yml
│   ├── process
│   │   ├── create
│   │   │   ├── create-process-suspended.yml
│   │   │   └── create-process.yml
│   │   ├── inject
│   │   │   ├── allocate-rwx-memory.yml
│   │   │   ├── inject-apc.yml
│   │   │   ├── inject-thread.yml
│   │   │   ├── kernel-to-user
│   │   │   │   ├── allocate-user-process-rwx-memory.yml
│   │   │   │   ├── attach-user-process-memory.yml
│   │   │   │   └── free-user-process-memory.yml
│   │   │   ├── use-process-doppelganging.yml
│   │   │   └── use-process-replacement.yml
│   │   ├── injection
│   │   │   └── write-process-memory.yml
│   │   ├── list
│   │   │   ├── enumerate-processes-on-remote-desktop-session-host.yml
│   │   │   ├── enumerate-processes.yml
│   │   │   └── find-process-by-pid.yml
│   │   ├── modify
│   │   │   └── modify-access-privileges.yml
│   │   ├── modules
│   │   │   └── list
│   │   │       └── enumerate-process-modules.yml
│   │   ├── read-process-memory.yml
│   │   └── terminate
│   │       └── terminate-process.yml
│   ├── registry
│   │   ├── create
│   │   │   ├── create-registry-key.yml
│   │   │   └── set-registry-value.yml
│   │   ├── delete
│   │   │   └── delete-registry-key.yml
│   │   ├── open
│   │   │   └── open-registry-key.yml
│   │   └── query
│   │       ├── query-registry-entry.yml
│   │       ├── query-registry-key.yml
│   │       └── query-registry-value.yml
│   ├── service
│   │   ├── create
│   │   │   └── create-service.yml
│   │   ├── delete
│   │   │   └── delete-service.yml
│   │   ├── list
│   │   │   └── enumerate-services.yml
│   │   ├── modify
│   │   │   └── modify-service.yml
│   │   ├── query-service-status.yml
│   │   ├── start
│   │   │   └── start-service.yml
│   │   └── stop
│   │       └── stop-service.yml
│   ├── session
│   │   ├── get-session-information.yml
│   │   ├── get-session-user-name.yml
│   │   └── get-token-membership.yml
│   ├── software
│   │   └── get-installed-programs.yml
│   ├── thread
│   │   ├── create
│   │   │   └── create-thread.yml
│   │   ├── list
│   │   │   └── enumerate-threads.yml
│   │   └── terminate
│   │       └── terminate-thread.yml
│   └── uac
│       └── bypass
│           ├── bypass-uac-via-icmluautil.yml
│           └── bypass-uac-via-scheduled-task-environment-variable.yml
├── impact
│   ├── cryptocurrency
│   │   └── mine-cryptocurrency.yml
│   └── wipe-disk
│       └── wipe-mbr
│           └── overwrite-master-boot-record-mbr.yml
├── linking
│   ├── runtime-linking
│   │   ├── access-peb-ldr_data.yml
│   │   └── link-function-at-runtime.yml
│   └── static
│       ├── cppregex
│       │   └── linked-against-c-regex-library.yml
│       ├── cryptopp
│       │   └── linked-against-crypto.yml
│       ├── libcurl
│       │   └── linked-against-libcurl.yml
│       ├── msdetours
│       │   └── linked-against-microsoft-detours.yml
│       ├── openssl
│       │   └── linked-against-openssl.yml
│       ├── polarssl
│       │   └── linked-against-polarsslmbed-tls.yml
│       └── zlib
│           └── linked-against-zlib.yml
├── load-code
│   ├── pe
│   │   ├── access-pe-header.yml
│   │   └── parse-pe-header.yml
│   ├── powershell
│   │   └── run-powershell-expression.yml
│   └── shellcode
│       └── spawn-thread-to-rwx-shellcode.yml
├── migration.csv
├── migration.xlsx
├── persistence
│   ├── registry
│   │   ├── appinitdlls
│   │   │   └── persist-via-appinit_dlls-registry-key.yml
│   │   ├── ginadll
│   │   │   └── persist-via-ginadll-registry-key.yml
│   │   └── run
│   │       └── persist-via-run-registry-key.yml
│   ├── scheduled-tasks
│   │   └── schedule-task-via-itaskscheduler.yml
│   ├── screensaver
│   │   └── reference-screen-saver-executable.yml
│   ├── service
│   │   └── persist-via-windows-service.yml
│   └── startup-folder
│       ├── get-startup-folder.yml
│       ├── reference-startup-folder.yml
│       └── write-file-to-startup-folder.yml
├── README.md
├── runtime
│   └── dotnet
│       └── compiled-to-the-.net-platform.yml
└── targeting
    └── automated-teller-machine
        ├── diebold-nixdorf
        │   ├── load-diebold-nixdorf-atm-library.yml
        │   └── reference-diebold-atm-routines.yml
        ├── identify-atm-dispenser-service-provider.yml
        └── ncr
            ├── load-ncr-atm-library.yml
            └── reference-ncr-atm-library-routines.yml

208 directories, 243 files

[williballenthin]

assuming everyone is happy with the rule name/namespace reorganization, this PR is ready for review and merge.

[williballenthin]

though, as soon as we merge it, capa will be broken as rule-category meta doesn't exist anymore. so i can queue up a PR for that, too.

[mr-tz]

🥳 it's party time

[mr-tz]

So much good stuff!

It seems like a bunch of files we would want to keep are deleted?

[williballenthin]

all comments addressed, no outstanding TODOs.

[mr-tz]

very good, thank you!

[Ana06]

🥳

[Ana06]

@williballenthin I think you said we wanted to write rule names in present. Shouldn't this one be modified? 🤔

[mr-tz]

rule names complete one of these two sentences:

• This function/sample may... "reference the VMWare IO port"
• This sample may be [a].... "linked against OpenSSL"

[Ana06]

there are several rules without namespace, is this expected?

[mr-tz]

these are library rules meant to be used by other rules and they should not be displayed to the user, they could have a namespace, but don't have to

[Ana06]

this one is also not in present 🤔