From 1217201e4b9ce036c4d5c26d58777fd64e327c38 Mon Sep 17 00:00:00 2001
From: akh7177 <abhyudayjkm@gmail.com>
Date: Fri, 28 Feb 2025 16:55:57 +0530
Subject: [PATCH 1/6] Rename architecture-specific rules and update rule names
 inside YAML files

---
 ...yml => check-for-peb-ntglobalflag-flag-via-x86-assembly.yml} | 2 +-
 ...n.yml => check-for-trap-flag-exception-via-x86-assembly.yml} | 2 +-
 ...=> execute-anti-debugging-instructions-via-x86-assembly.yml} | 2 +-
 ...l => 64-bit-execution-via-heavens-gate-via-x86-assembly.yml} | 2 +-
 ...line.yml => patch-process-command-line-via-x86-assembly.yml} | 2 +-
 ...packets-callback-function-via-wsaioctl-via-x86-assembly.yml} | 2 +-
 ...ecksum.yml => compute-adler32-checksum-via-x86-assembly.yml} | 2 +-
 ...with-crc32.yml => hash-data-with-crc32-via-x86-assembly.yml} | 2 +-
 ...lib.yml => decompress-data-using-aplib-via-x86-assembly.yml} | 2 +-
 ...g-ucl.yml => decompress-data-using-ucl-via-x86-assembly.yml} | 2 +-
 ...ing-base64-via-dword-translation-table-via-x86-assembly.yml} | 2 +-
 ...ts.yml => manually-build-aes-constants-via-x86-assembly.yml} | 2 +-
 ... encrypt-data-using-hc-128-via-wolfssl-via-x86-assembly.yml} | 2 +-
 ...c-128.yml => encrypt-data-using-hc-128-via-x86-assembly.yml} | 2 +-
 ...-ksa.yml => encrypt-data-using-rc4-ksa-via-x86-assembly.yml} | 2 +-
 ...rga.yml => encrypt-data-using-rc4-prga-via-x86-assembly.yml} | 2 +-
 ...pt-data-using-rsa-via-embedded-library-via-x86-assembly.yml} | 2 +-
 ...uk.yml => encrypt-data-using-sosemanuk-via-x86-assembly.yml} | 2 +-
 ...sing-tea.yml => decrypt-data-using-tea-via-x86-assembly.yml} | 2 +-
 ...sing-tea.yml => encrypt-data-using-tea-via-x86-assembly.yml} | 2 +-
 ...-xxtea.yml => encrypt-data-using-xxtea-via-x86-assembly.yml} | 2 +-
 ...using-djb2.yml => hash-data-using-djb2-via-x86-assembly.yml} | 2 +-
 ...a-using-fnv.yml => hash-data-using-fnv-via-x86-assembly.yml} | 2 +-
 ...murmur3.yml => hash-data-using-murmur3-via-x86-assembly.yml} | 2 +-
 ...essors.yml => get-number-of-processors-via-x86-assembly.yml} | 2 +-
 ...ss-with-modified-io-handles-and-window-via-x86-assembly.yml} | 2 +-
 ...n-linux.yml => create-process-on-linux-via-x86-assembly.yml} | 2 +-
 ...s-filename.yml => get-process-filename-via-x86-assembly.yml} | 2 +-
 ...ap-flags.yml => get-process-heap-flags-via-x86-assembly.yml} | 2 +-
 ...gs.yml => get-process-heap-force-flags-via-x86-assembly.yml} | 2 +-
 ...nnect-to-wmi-namespace-via-wbemlocator-via-x86-assembly.yml} | 2 +-
 ... calculate-modulo-256-via-x86-assembly-via-x86-assembly.yml} | 2 +-
 ...nce.yml => contain-pusha-popa-sequence-via-x86-assembly.yml} | 2 +-
 lib/{get-os-version.yml => get-os-version-via-x86-assembly.yml} | 2 +-
 lib/{peb-access.yml => peb-access-via-x86-assembly.yml}         | 2 +-
 ...using-luhn-algorithm-with-lookup-table-via-x86-assembly.yml} | 2 +-
 ...ng-luhn-algorithm-with-no-lookup-table-via-x86-assembly.yml} | 2 +-
 ...eb-ldr_data.yml => access-peb-ldr_data-via-x86-assembly.yml} | 2 +-
 ...dress.yml => get-kernel32-base-address-via-x86-assembly.yml} | 2 +-
 ...-address.yml => get-ntdll-base-address-via-x86-assembly.yml} | 2 +-
 ... => populate-syswhispers2-syscall-list-via-x86-assembly.yml} | 2 +-
 ...ve-function-by-brute-ratel-badger-hash-via-x86-assembly.yml} | 2 +-
 ...l => resolve-function-by-fin8-fasthash-via-x86-assembly.yml} | 2 +-
 ...-openssl.yml => linked-against-openssl-via-x86-assembly.yml} | 2 +-
 ...-sections.yml => enumerate-pe-sections-via-x86-assembly.yml} | 2 +-
 ...parse-pe-header.yml => parse-pe-header-via-x86-assembly.yml} | 2 +-
 ...port-table.yml => rebuild-import-table-via-x86-assembly.yml} | 2 +-
 ...resolve-function-by-parsing-pe-exports-via-x86-assembly.yml} | 2 +-
 ...ata-using-base64-via-vbmi-lookup-table-via-x86-assembly.yml} | 2 +-
 ...execute-syscall.yml => execute-syscall-via-x86-assembly.yml} | 2 +-
 ...dress.yml => get-ntoskrnl-base-address-via-x86-assembly.yml} | 2 +-
 ...l => hook-routines-via-dlsym-rtld_next-via-x86-assembly.yml} | 2 +-
 ...rence-processor-manufacturer-constants-via-x86-assembly.yml} | 2 +-
 ...-on-android.yml => send-sms-on-android-via-x86-assembly.yml} | 2 +-
 54 files changed, 54 insertions(+), 54 deletions(-)
 rename anti-analysis/anti-debugging/debugger-detection/{check-for-peb-ntglobalflag-flag.yml => check-for-peb-ntglobalflag-flag-via-x86-assembly.yml} (95%)
 rename anti-analysis/anti-debugging/debugger-detection/{check-for-trap-flag-exception.yml => check-for-trap-flag-exception-via-x86-assembly.yml} (94%)
 rename anti-analysis/anti-debugging/debugger-detection/{execute-anti-debugging-instructions.yml => execute-anti-debugging-instructions-via-x86-assembly.yml} (88%)
 rename anti-analysis/anti-disasm/{64-bit-execution-via-heavens-gate.yml => 64-bit-execution-via-heavens-gate-via-x86-assembly.yml} (95%)
 rename anti-analysis/anti-forensic/{patch-process-command-line.yml => patch-process-command-line-via-x86-assembly.yml} (97%)
 rename communication/socket/tcp/send/{obtain-transmitpackets-callback-function-via-wsaioctl.yml => obtain-transmitpackets-callback-function-via-wsaioctl-via-x86-assembly.yml} (95%)
 rename data-manipulation/checksum/adler32/{compute-adler32-checksum.yml => compute-adler32-checksum-via-x86-assembly.yml} (97%)
 rename data-manipulation/checksum/crc32/{hash-data-with-crc32.yml => hash-data-with-crc32-via-x86-assembly.yml} (95%)
 rename data-manipulation/compression/{decompress-data-using-aplib.yml => decompress-data-using-aplib-via-x86-assembly.yml} (96%)
 rename data-manipulation/compression/{decompress-data-using-ucl.yml => decompress-data-using-ucl-via-x86-assembly.yml} (96%)
 rename data-manipulation/encoding/base64/{decode-data-using-base64-via-dword-translation-table.yml => decode-data-using-base64-via-dword-translation-table-via-x86-assembly.yml} (97%)
 rename data-manipulation/encryption/aes/{manually-build-aes-constants.yml => manually-build-aes-constants-via-x86-assembly.yml} (95%)
 rename data-manipulation/encryption/hc-128/{encrypt-data-using-hc-128-via-wolfssl.yml => encrypt-data-using-hc-128-via-wolfssl-via-x86-assembly.yml} (95%)
 rename data-manipulation/encryption/hc-128/{encrypt-data-using-hc-128.yml => encrypt-data-using-hc-128-via-x86-assembly.yml} (97%)
 rename data-manipulation/encryption/rc4/{encrypt-data-using-rc4-ksa.yml => encrypt-data-using-rc4-ksa-via-x86-assembly.yml} (97%)
 rename data-manipulation/encryption/rc4/{encrypt-data-using-rc4-prga.yml => encrypt-data-using-rc4-prga-via-x86-assembly.yml} (95%)
 rename data-manipulation/encryption/rsa/{encrypt-data-using-rsa-via-embedded-library.yml => encrypt-data-using-rsa-via-embedded-library-via-x86-assembly.yml} (95%)
 rename data-manipulation/encryption/sosemanuk/{encrypt-data-using-sosemanuk.yml => encrypt-data-using-sosemanuk-via-x86-assembly.yml} (97%)
 rename data-manipulation/encryption/tea/{decrypt-data-using-tea.yml => decrypt-data-using-tea-via-x86-assembly.yml} (96%)
 rename data-manipulation/encryption/tea/{encrypt-data-using-tea.yml => encrypt-data-using-tea-via-x86-assembly.yml} (96%)
 rename data-manipulation/encryption/xxtea/{encrypt-data-using-xxtea.yml => encrypt-data-using-xxtea-via-x86-assembly.yml} (96%)
 rename data-manipulation/hashing/djb2/{hash-data-using-djb2.yml => hash-data-using-djb2-via-x86-assembly.yml} (94%)
 rename data-manipulation/hashing/fnv/{hash-data-using-fnv.yml => hash-data-using-fnv-via-x86-assembly.yml} (97%)
 rename data-manipulation/hashing/murmur/{hash-data-using-murmur3.yml => hash-data-using-murmur3-via-x86-assembly.yml} (97%)
 rename host-interaction/hardware/cpu/{get-number-of-processors.yml => get-number-of-processors-via-x86-assembly.yml} (94%)
 rename host-interaction/process/create/{create-a-process-with-modified-io-handles-and-window.yml => create-a-process-with-modified-io-handles-and-window-via-x86-assembly.yml} (96%)
 rename host-interaction/process/create/{create-process-on-linux.yml => create-process-on-linux-via-x86-assembly.yml} (93%)
 rename host-interaction/process/{get-process-filename.yml => get-process-filename-via-x86-assembly.yml} (97%)
 rename host-interaction/process/{get-process-heap-flags.yml => get-process-heap-flags-via-x86-assembly.yml} (94%)
 rename host-interaction/process/{get-process-heap-force-flags.yml => get-process-heap-force-flags-via-x86-assembly.yml} (94%)
 rename host-interaction/wmi/{connect-to-wmi-namespace-via-wbemlocator.yml => connect-to-wmi-namespace-via-wbemlocator-via-x86-assembly.yml} (95%)
 rename lib/{calculate-modulo-256-via-x86-assembly.yml => calculate-modulo-256-via-x86-assembly-via-x86-assembly.yml} (88%)
 rename lib/{contain-pusha-popa-sequence.yml => contain-pusha-popa-sequence-via-x86-assembly.yml} (89%)
 rename lib/{get-os-version.yml => get-os-version-via-x86-assembly.yml} (95%)
 rename lib/{peb-access.yml => peb-access-via-x86-assembly.yml} (97%)
 rename lib/{validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml => validate-payment-card-number-using-luhn-algorithm-with-lookup-table-via-x86-assembly.yml} (98%)
 rename lib/{validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml => validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table-via-x86-assembly.yml} (98%)
 rename linking/runtime-linking/{access-peb-ldr_data.yml => access-peb-ldr_data-via-x86-assembly.yml} (97%)
 rename linking/runtime-linking/{get-kernel32-base-address.yml => get-kernel32-base-address-via-x86-assembly.yml} (94%)
 rename linking/runtime-linking/{get-ntdll-base-address.yml => get-ntdll-base-address-via-x86-assembly.yml} (95%)
 rename linking/runtime-linking/{populate-syswhispers2-syscall-list.yml => populate-syswhispers2-syscall-list-via-x86-assembly.yml} (95%)
 rename linking/runtime-linking/{resolve-function-by-brute-ratel-badger-hash.yml => resolve-function-by-brute-ratel-badger-hash-via-x86-assembly.yml} (94%)
 rename linking/runtime-linking/{resolve-function-by-fin8-fasthash.yml => resolve-function-by-fin8-fasthash-via-x86-assembly.yml} (95%)
 rename linking/static/openssl/{linked-against-openssl.yml => linked-against-openssl-via-x86-assembly.yml} (91%)
 rename load-code/pe/{enumerate-pe-sections.yml => enumerate-pe-sections-via-x86-assembly.yml} (97%)
 rename load-code/pe/{parse-pe-header.yml => parse-pe-header-via-x86-assembly.yml} (98%)
 rename load-code/pe/{rebuild-import-table.yml => rebuild-import-table-via-x86-assembly.yml} (96%)
 rename load-code/pe/{resolve-function-by-parsing-pe-exports.yml => resolve-function-by-parsing-pe-exports-via-x86-assembly.yml} (94%)
 rename nursery/{decode-data-using-base64-via-vbmi-lookup-table.yml => decode-data-using-base64-via-vbmi-lookup-table-via-x86-assembly.yml} (95%)
 rename nursery/{execute-syscall.yml => execute-syscall-via-x86-assembly.yml} (95%)
 rename nursery/{get-ntoskrnl-base-address.yml => get-ntoskrnl-base-address-via-x86-assembly.yml} (94%)
 rename nursery/{hook-routines-via-dlsym-rtld_next.yml => hook-routines-via-dlsym-rtld_next-via-x86-assembly.yml} (90%)
 rename nursery/{reference-processor-manufacturer-constants.yml => reference-processor-manufacturer-constants-via-x86-assembly.yml} (92%)
 rename nursery/{send-sms-on-android.yml => send-sms-on-android-via-x86-assembly.yml} (93%)

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag-via-x86-assembly.yml
similarity index 95%
rename from anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml
rename to anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag-via-x86-assembly.yml
index 9fbffe04e..b3da03ab4 100644
--- a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml
+++ b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: check for PEB NtGlobalFlag flag
+    name: check for PEB NtGlobalFlag flag via x86 assembly
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - moritz.raabe@mandiant.com
diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception-via-x86-assembly.yml
similarity index 94%
rename from anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml
rename to anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception-via-x86-assembly.yml
index ba561e738..c27ae9a51 100644
--- a/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml
+++ b/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: check for trap flag exception
+    name: check for trap flag exception via x86 assembly
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - michael.hunhoff@mandiant.com
diff --git a/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml b/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions-via-x86-assembly.yml
similarity index 88%
rename from anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml
rename to anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions-via-x86-assembly.yml
index 573617ddf..7ba5926d5 100644
--- a/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml
+++ b/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: execute anti-debugging instructions
+    name: execute anti-debugging instructions via x86 assembly
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - moritz.raabe@mandiant.com
diff --git a/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml b/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate-via-x86-assembly.yml
similarity index 95%
rename from anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml
rename to anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate-via-x86-assembly.yml
index 822f1b661..ccc8fe5bd 100644
--- a/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml
+++ b/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: 64-bit execution via heavens gate
+    name: 64-bit execution via heavens gate via x86 assembly
     namespace: anti-analysis/anti-disasm
     authors:
       - awillia2@cisco.com
diff --git a/anti-analysis/anti-forensic/patch-process-command-line.yml b/anti-analysis/anti-forensic/patch-process-command-line-via-x86-assembly.yml
similarity index 97%
rename from anti-analysis/anti-forensic/patch-process-command-line.yml
rename to anti-analysis/anti-forensic/patch-process-command-line-via-x86-assembly.yml
index 4a1d0f021..b4a95da43 100644
--- a/anti-analysis/anti-forensic/patch-process-command-line.yml
+++ b/anti-analysis/anti-forensic/patch-process-command-line-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: patch process command line
+    name: patch process command line via x86 assembly
     namespace: anti-analysis/anti-forensic
     authors:
       - william.ballenthin@mandiant.com
diff --git a/communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl.yml b/communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl-via-x86-assembly.yml
similarity index 95%
rename from communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl.yml
rename to communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl-via-x86-assembly.yml
index d41a3040f..14cd75a51 100644
--- a/communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl.yml
+++ b/communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: obtain TransmitPackets callback function via WSAIoctl
+    name: obtain TransmitPackets callback function via WSAIoctl via x86 assembly
     namespace: communication/socket/tcp/send
     authors:
       - jonathan.lepore@mandiant.com
diff --git a/data-manipulation/checksum/adler32/compute-adler32-checksum.yml b/data-manipulation/checksum/adler32/compute-adler32-checksum-via-x86-assembly.yml
similarity index 97%
rename from data-manipulation/checksum/adler32/compute-adler32-checksum.yml
rename to data-manipulation/checksum/adler32/compute-adler32-checksum-via-x86-assembly.yml
index 246e8d27a..8f4268bb0 100644
--- a/data-manipulation/checksum/adler32/compute-adler32-checksum.yml
+++ b/data-manipulation/checksum/adler32/compute-adler32-checksum-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: compute adler32 checksum
+    name: compute adler32 checksum via x86 assembly
     namespace: data-manipulation/checksum/adler32
     authors:
       - matthew.williams@mandiant.com
diff --git a/data-manipulation/checksum/crc32/hash-data-with-crc32.yml b/data-manipulation/checksum/crc32/hash-data-with-crc32-via-x86-assembly.yml
similarity index 95%
rename from data-manipulation/checksum/crc32/hash-data-with-crc32.yml
rename to data-manipulation/checksum/crc32/hash-data-with-crc32-via-x86-assembly.yml
index f258a193a..3aebbec6c 100644
--- a/data-manipulation/checksum/crc32/hash-data-with-crc32.yml
+++ b/data-manipulation/checksum/crc32/hash-data-with-crc32-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: hash data with CRC32
+    name: hash data with CRC32 via x86 assembly
     namespace: data-manipulation/checksum/crc32
     authors:
       - moritz.raabe@mandiant.com
diff --git a/data-manipulation/compression/decompress-data-using-aplib.yml b/data-manipulation/compression/decompress-data-using-aplib-via-x86-assembly.yml
similarity index 96%
rename from data-manipulation/compression/decompress-data-using-aplib.yml
rename to data-manipulation/compression/decompress-data-using-aplib-via-x86-assembly.yml
index 6f6f4b58c..9d5849f41 100644
--- a/data-manipulation/compression/decompress-data-using-aplib.yml
+++ b/data-manipulation/compression/decompress-data-using-aplib-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: decompress data using aPLib
+    name: decompress data using aPLib via x86 assembly
     namespace: data-manipulation/compression
     authors:
       - "@r3c0nst (Frank Boldewin)"
diff --git a/data-manipulation/compression/decompress-data-using-ucl.yml b/data-manipulation/compression/decompress-data-using-ucl-via-x86-assembly.yml
similarity index 96%
rename from data-manipulation/compression/decompress-data-using-ucl.yml
rename to data-manipulation/compression/decompress-data-using-ucl-via-x86-assembly.yml
index 937e644da..ad96f04c0 100644
--- a/data-manipulation/compression/decompress-data-using-ucl.yml
+++ b/data-manipulation/compression/decompress-data-using-ucl-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: decompress data using UCL
+    name: decompress data using UCL via x86 assembly
     namespace: data-manipulation/compression
     authors:
       - jakub.jozwiak@mandiant.com
diff --git a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table-via-x86-assembly.yml
similarity index 97%
rename from data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml
rename to data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table-via-x86-assembly.yml
index d8c1b9e6b..2cce8564e 100644
--- a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml
+++ b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: decode data using Base64 via dword translation table
+    name: decode data using Base64 via dword translation table via x86 assembly
     namespace: data-manipulation/encoding/base64
     authors:
       - gilbert.elliot@mandiant.com
diff --git a/data-manipulation/encryption/aes/manually-build-aes-constants.yml b/data-manipulation/encryption/aes/manually-build-aes-constants-via-x86-assembly.yml
similarity index 95%
rename from data-manipulation/encryption/aes/manually-build-aes-constants.yml
rename to data-manipulation/encryption/aes/manually-build-aes-constants-via-x86-assembly.yml
index b49ac0b69..399356331 100644
--- a/data-manipulation/encryption/aes/manually-build-aes-constants.yml
+++ b/data-manipulation/encryption/aes/manually-build-aes-constants-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: manually build AES constants
+    name: manually build AES constants via x86 assembly
     namespace: data-manipulation/encryption/aes
     authors:
       - huynh.t.nhan@gmail.com
diff --git a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl-via-x86-assembly.yml
similarity index 95%
rename from data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml
rename to data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl-via-x86-assembly.yml
index 8211d5e07..e0236958d 100755
--- a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml
+++ b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl-via-x86-assembly.yml
@@ -1,7 +1,7 @@
 # generated using capa explorer for IDA Pro
 rule:
   meta:
-    name: encrypt data using HC-128 via WolfSSL
+    name: encrypt data using HC-128 via WolfSSL via x86 assembly
     namespace: data-manipulation/encryption/hc-128
     authors:
       - blaine.stancill@mandiant.com
diff --git a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128.yml b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-x86-assembly.yml
similarity index 97%
rename from data-manipulation/encryption/hc-128/encrypt-data-using-hc-128.yml
rename to data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-x86-assembly.yml
index a401c9c05..9ff253b5a 100644
--- a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128.yml
+++ b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: encrypt data using HC-128
+    name: encrypt data using HC-128 via x86 assembly
     namespace: data-manipulation/encryption/hc-128
     authors:
       - awillia2@cisco.com
diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa-via-x86-assembly.yml
similarity index 97%
rename from data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa.yml
rename to data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa-via-x86-assembly.yml
index d0a9fa269..17467f08f 100644
--- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa.yml
+++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: encrypt data using RC4 KSA
+    name: encrypt data using RC4 KSA via x86 assembly
     namespace: data-manipulation/encryption/rc4
     authors:
       - moritz.raabe@mandiant.com
diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga-via-x86-assembly.yml
similarity index 95%
rename from data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga.yml
rename to data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga-via-x86-assembly.yml
index 9066f37e0..699c221e9 100644
--- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga.yml
+++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: encrypt data using RC4 PRGA
+    name: encrypt data using RC4 PRGA via x86 assembly
     namespace: data-manipulation/encryption/rc4
     authors:
       - moritz.raabe@mandiant.com
diff --git a/data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library.yml b/data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library-via-x86-assembly.yml
similarity index 95%
rename from data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library.yml
rename to data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library-via-x86-assembly.yml
index 7599ab4ad..576966456 100644
--- a/data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library.yml
+++ b/data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: encrypt data using RSA via embedded library
+    name: encrypt data using RSA via embedded library via x86 assembly
     namespace: data-manipulation/encryption/rsa
     authors:
       - "Ana06"
diff --git a/data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk.yml b/data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk-via-x86-assembly.yml
similarity index 97%
rename from data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk.yml
rename to data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk-via-x86-assembly.yml
index a13a20860..018bf3778 100644
--- a/data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk.yml
+++ b/data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: encrypt data using Sosemanuk
+    name: encrypt data using Sosemanuk via x86 assembly
     namespace: data-manipulation/encryption/sosemanuk
     authors:
       - awillia2@cisco.com
diff --git a/data-manipulation/encryption/tea/decrypt-data-using-tea.yml b/data-manipulation/encryption/tea/decrypt-data-using-tea-via-x86-assembly.yml
similarity index 96%
rename from data-manipulation/encryption/tea/decrypt-data-using-tea.yml
rename to data-manipulation/encryption/tea/decrypt-data-using-tea-via-x86-assembly.yml
index 97d826fa9..284cbc908 100755
--- a/data-manipulation/encryption/tea/decrypt-data-using-tea.yml
+++ b/data-manipulation/encryption/tea/decrypt-data-using-tea-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: decrypt data using TEA
+    name: decrypt data using TEA via x86 assembly
     namespace: data-manipulation/encryption/tea
     authors:
       - william.ballenthin@mandiant.com
diff --git a/data-manipulation/encryption/tea/encrypt-data-using-tea.yml b/data-manipulation/encryption/tea/encrypt-data-using-tea-via-x86-assembly.yml
similarity index 96%
rename from data-manipulation/encryption/tea/encrypt-data-using-tea.yml
rename to data-manipulation/encryption/tea/encrypt-data-using-tea-via-x86-assembly.yml
index 7262cb1db..d5a4d5945 100755
--- a/data-manipulation/encryption/tea/encrypt-data-using-tea.yml
+++ b/data-manipulation/encryption/tea/encrypt-data-using-tea-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: encrypt data using TEA
+    name: encrypt data using TEA via x86 assembly
     namespace: data-manipulation/encryption/tea
     authors:
       - william.ballenthin@mandiant.com
diff --git a/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml b/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea-via-x86-assembly.yml
similarity index 96%
rename from data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml
rename to data-manipulation/encryption/xxtea/encrypt-data-using-xxtea-via-x86-assembly.yml
index 565256c6f..e192df7d8 100755
--- a/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml
+++ b/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: encrypt data using XXTEA
+    name: encrypt data using XXTEA via x86 assembly
     namespace: data-manipulation/encryption/xxtea
     authors:
       - raymond.leong@mandiant.com
diff --git a/data-manipulation/hashing/djb2/hash-data-using-djb2.yml b/data-manipulation/hashing/djb2/hash-data-using-djb2-via-x86-assembly.yml
similarity index 94%
rename from data-manipulation/hashing/djb2/hash-data-using-djb2.yml
rename to data-manipulation/hashing/djb2/hash-data-using-djb2-via-x86-assembly.yml
index 43a178796..c3e270f26 100644
--- a/data-manipulation/hashing/djb2/hash-data-using-djb2.yml
+++ b/data-manipulation/hashing/djb2/hash-data-using-djb2-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: hash data using djb2
+    name: hash data using djb2 via x86 assembly
     namespace: data-manipulation/hashing/djb2
     authors:
       - awillia2@cisco.com
diff --git a/data-manipulation/hashing/fnv/hash-data-using-fnv.yml b/data-manipulation/hashing/fnv/hash-data-using-fnv-via-x86-assembly.yml
similarity index 97%
rename from data-manipulation/hashing/fnv/hash-data-using-fnv.yml
rename to data-manipulation/hashing/fnv/hash-data-using-fnv-via-x86-assembly.yml
index 40ddfa616..535d1865f 100644
--- a/data-manipulation/hashing/fnv/hash-data-using-fnv.yml
+++ b/data-manipulation/hashing/fnv/hash-data-using-fnv-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: hash data using fnv
+    name: hash data using fnv via x86 assembly
     namespace: data-manipulation/hashing/fnv
     authors:
       - moritz.raabe@mandiant.com
diff --git a/data-manipulation/hashing/murmur/hash-data-using-murmur3.yml b/data-manipulation/hashing/murmur/hash-data-using-murmur3-via-x86-assembly.yml
similarity index 97%
rename from data-manipulation/hashing/murmur/hash-data-using-murmur3.yml
rename to data-manipulation/hashing/murmur/hash-data-using-murmur3-via-x86-assembly.yml
index 4b87aca3f..77ec7b221 100644
--- a/data-manipulation/hashing/murmur/hash-data-using-murmur3.yml
+++ b/data-manipulation/hashing/murmur/hash-data-using-murmur3-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: hash data using murmur3
+    name: hash data using murmur3 via x86 assembly
     namespace: data-manipulation/hashing/murmur
     authors:
       - william.ballenthin@mandiant.com
diff --git a/host-interaction/hardware/cpu/get-number-of-processors.yml b/host-interaction/hardware/cpu/get-number-of-processors-via-x86-assembly.yml
similarity index 94%
rename from host-interaction/hardware/cpu/get-number-of-processors.yml
rename to host-interaction/hardware/cpu/get-number-of-processors-via-x86-assembly.yml
index 7499ac7c0..28ffe8423 100644
--- a/host-interaction/hardware/cpu/get-number-of-processors.yml
+++ b/host-interaction/hardware/cpu/get-number-of-processors-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: get number of processors
+    name: get number of processors via x86 assembly
     namespace: host-interaction/hardware/cpu
     authors:
       - michael.hunhoff@mandiant.com
diff --git a/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window.yml b/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window-via-x86-assembly.yml
similarity index 96%
rename from host-interaction/process/create/create-a-process-with-modified-io-handles-and-window.yml
rename to host-interaction/process/create/create-a-process-with-modified-io-handles-and-window-via-x86-assembly.yml
index 292df5a22..00eeabe01 100644
--- a/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window.yml
+++ b/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: create a process with modified I/O handles and window
+    name: create a process with modified I/O handles and window via x86 assembly
     namespace: host-interaction/process/create
     authors:
       - matthew.williams@mandiant.com
diff --git a/host-interaction/process/create/create-process-on-linux.yml b/host-interaction/process/create/create-process-on-linux-via-x86-assembly.yml
similarity index 93%
rename from host-interaction/process/create/create-process-on-linux.yml
rename to host-interaction/process/create/create-process-on-linux-via-x86-assembly.yml
index 8394567ca..b186ba22a 100644
--- a/host-interaction/process/create/create-process-on-linux.yml
+++ b/host-interaction/process/create/create-process-on-linux-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: create process on Linux
+    name: create process on Linux via x86 assembly
     namespace: host-interaction/process/create
     authors:
       - joakim@intezer.com
diff --git a/host-interaction/process/get-process-filename.yml b/host-interaction/process/get-process-filename-via-x86-assembly.yml
similarity index 97%
rename from host-interaction/process/get-process-filename.yml
rename to host-interaction/process/get-process-filename-via-x86-assembly.yml
index eff6f4837..344ed0eea 100644
--- a/host-interaction/process/get-process-filename.yml
+++ b/host-interaction/process/get-process-filename-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: get process filename
+    name: get process filename via x86 assembly
     namespace: host-interaction/process
     authors:
       - matthew.williams@mandiant.com
diff --git a/host-interaction/process/get-process-heap-flags.yml b/host-interaction/process/get-process-heap-flags-via-x86-assembly.yml
similarity index 94%
rename from host-interaction/process/get-process-heap-flags.yml
rename to host-interaction/process/get-process-heap-flags-via-x86-assembly.yml
index f5ac9a96e..ec09b2f79 100644
--- a/host-interaction/process/get-process-heap-flags.yml
+++ b/host-interaction/process/get-process-heap-flags-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: get process heap flags
+    name: get process heap flags via x86 assembly
     namespace: host-interaction/process
     authors:
       - michael.hunhoff@mandiant.com
diff --git a/host-interaction/process/get-process-heap-force-flags.yml b/host-interaction/process/get-process-heap-force-flags-via-x86-assembly.yml
similarity index 94%
rename from host-interaction/process/get-process-heap-force-flags.yml
rename to host-interaction/process/get-process-heap-force-flags-via-x86-assembly.yml
index 9ffc6cc47..09257f2f5 100644
--- a/host-interaction/process/get-process-heap-force-flags.yml
+++ b/host-interaction/process/get-process-heap-force-flags-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: get process heap force flags
+    name: get process heap force flags via x86 assembly
     namespace: host-interaction/process
     authors:
       - michael.hunhoff@mandiant.com
diff --git a/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml b/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator-via-x86-assembly.yml
similarity index 95%
rename from host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml
rename to host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator-via-x86-assembly.yml
index d62247bb5..049ac908c 100644
--- a/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml
+++ b/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator-via-x86-assembly.yml
@@ -1,7 +1,7 @@
 # generated using capa explorer for IDA Pro
 rule:
   meta:
-    name: connect to WMI namespace via WbemLocator
+    name: connect to WMI namespace via WbemLocator via x86 assembly
     namespace: host-interaction/wmi
     authors:
       - michael.hunhoff@mandiant.com
diff --git a/lib/calculate-modulo-256-via-x86-assembly.yml b/lib/calculate-modulo-256-via-x86-assembly-via-x86-assembly.yml
similarity index 88%
rename from lib/calculate-modulo-256-via-x86-assembly.yml
rename to lib/calculate-modulo-256-via-x86-assembly-via-x86-assembly.yml
index 2b8b56212..0dfb40877 100644
--- a/lib/calculate-modulo-256-via-x86-assembly.yml
+++ b/lib/calculate-modulo-256-via-x86-assembly-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: calculate modulo 256 via x86 assembly
+    name: calculate modulo 256 via x86 assembly via x86 assembly
     authors:
       - moritz.raabe@mandiant.com
     lib: true
diff --git a/lib/contain-pusha-popa-sequence.yml b/lib/contain-pusha-popa-sequence-via-x86-assembly.yml
similarity index 89%
rename from lib/contain-pusha-popa-sequence.yml
rename to lib/contain-pusha-popa-sequence-via-x86-assembly.yml
index 1c368029e..7be227355 100644
--- a/lib/contain-pusha-popa-sequence.yml
+++ b/lib/contain-pusha-popa-sequence-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: contain pusha popa sequence
+    name: contain pusha popa sequence via x86 assembly
     authors:
       - moritz.raabe@mandiant.com
     lib: true
diff --git a/lib/get-os-version.yml b/lib/get-os-version-via-x86-assembly.yml
similarity index 95%
rename from lib/get-os-version.yml
rename to lib/get-os-version-via-x86-assembly.yml
index 2cb26218d..1443cb777 100644
--- a/lib/get-os-version.yml
+++ b/lib/get-os-version-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: get OS version
+    name: get OS version via x86 assembly
     authors:
       - "@mr-tz"
     lib: true
diff --git a/lib/peb-access.yml b/lib/peb-access-via-x86-assembly.yml
similarity index 97%
rename from lib/peb-access.yml
rename to lib/peb-access-via-x86-assembly.yml
index 1490de8c5..141caa18d 100644
--- a/lib/peb-access.yml
+++ b/lib/peb-access-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: PEB access
+    name: PEB access via x86 assembly
     authors:
       - michael.hunhoff@mandiant.com
     lib: true
diff --git a/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml b/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table-via-x86-assembly.yml
similarity index 98%
rename from lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml
rename to lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table-via-x86-assembly.yml
index bbac2e8ad..5ae117dc1 100644
--- a/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml
+++ b/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: validate payment card number using luhn algorithm with lookup table
+    name: validate payment card number using luhn algorithm with lookup table via x86 assembly
     authors:
       - "@_re_fox"
     lib: true
diff --git a/lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml b/lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table-via-x86-assembly.yml
similarity index 98%
rename from lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml
rename to lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table-via-x86-assembly.yml
index c190adaa1..f66fcdf58 100644
--- a/lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml
+++ b/lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: validate payment card number using luhn algorithm with no lookup table
+    name: validate payment card number using luhn algorithm with no lookup table via x86 assembly
     authors:
       - "@_re_fox"
     lib: true
diff --git a/linking/runtime-linking/access-peb-ldr_data.yml b/linking/runtime-linking/access-peb-ldr_data-via-x86-assembly.yml
similarity index 97%
rename from linking/runtime-linking/access-peb-ldr_data.yml
rename to linking/runtime-linking/access-peb-ldr_data-via-x86-assembly.yml
index 99c5dd000..d18f87259 100644
--- a/linking/runtime-linking/access-peb-ldr_data.yml
+++ b/linking/runtime-linking/access-peb-ldr_data-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: access PEB ldr_data
+    name: access PEB ldr_data via x86 assembly
     namespace: linking/runtime-linking
     authors:
       - moritz.raabe@mandiant.com
diff --git a/linking/runtime-linking/get-kernel32-base-address.yml b/linking/runtime-linking/get-kernel32-base-address-via-x86-assembly.yml
similarity index 94%
rename from linking/runtime-linking/get-kernel32-base-address.yml
rename to linking/runtime-linking/get-kernel32-base-address-via-x86-assembly.yml
index e897783f9..0fe61c045 100644
--- a/linking/runtime-linking/get-kernel32-base-address.yml
+++ b/linking/runtime-linking/get-kernel32-base-address-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: get kernel32 base address
+    name: get kernel32 base address via x86 assembly
     namespace: linking/runtime-linking
     authors:
       - moritz.raabe@mandiant.com
diff --git a/linking/runtime-linking/get-ntdll-base-address.yml b/linking/runtime-linking/get-ntdll-base-address-via-x86-assembly.yml
similarity index 95%
rename from linking/runtime-linking/get-ntdll-base-address.yml
rename to linking/runtime-linking/get-ntdll-base-address-via-x86-assembly.yml
index 74106ccf0..72f01cd30 100644
--- a/linking/runtime-linking/get-ntdll-base-address.yml
+++ b/linking/runtime-linking/get-ntdll-base-address-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: get ntdll base address
+    name: get ntdll base address via x86 assembly
     namespace: linking/runtime-linking
     authors:
       - moritz.raabe@mandiant.com
diff --git a/linking/runtime-linking/populate-syswhispers2-syscall-list.yml b/linking/runtime-linking/populate-syswhispers2-syscall-list-via-x86-assembly.yml
similarity index 95%
rename from linking/runtime-linking/populate-syswhispers2-syscall-list.yml
rename to linking/runtime-linking/populate-syswhispers2-syscall-list-via-x86-assembly.yml
index 96a12a282..f96334c8b 100644
--- a/linking/runtime-linking/populate-syswhispers2-syscall-list.yml
+++ b/linking/runtime-linking/populate-syswhispers2-syscall-list-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: populate SysWhispers2 syscall list
+    name: populate SysWhispers2 syscall list via x86 assembly
     namespace: linking/runtime-linking
     authors:
       - still@teamt5.org
diff --git a/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml b/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash-via-x86-assembly.yml
similarity index 94%
rename from linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml
rename to linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash-via-x86-assembly.yml
index 807f4b8d2..89fe7a433 100644
--- a/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml
+++ b/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: resolve function by Brute Ratel Badger hash
+    name: resolve function by Brute Ratel Badger hash via x86 assembly
     namespace: linking/runtime-linking
     authors:
       - jakub.jozwiak@mandiant.com
diff --git a/linking/runtime-linking/resolve-function-by-fin8-fasthash.yml b/linking/runtime-linking/resolve-function-by-fin8-fasthash-via-x86-assembly.yml
similarity index 95%
rename from linking/runtime-linking/resolve-function-by-fin8-fasthash.yml
rename to linking/runtime-linking/resolve-function-by-fin8-fasthash-via-x86-assembly.yml
index a4c9f239d..68b1cd2ce 100644
--- a/linking/runtime-linking/resolve-function-by-fin8-fasthash.yml
+++ b/linking/runtime-linking/resolve-function-by-fin8-fasthash-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: resolve function by FIN8 fasthash
+    name: resolve function by FIN8 fasthash via x86 assembly
     namespace: linking/runtime-linking
     authors:
       - "@r3c0nst (Frank Boldewin)"
diff --git a/linking/static/openssl/linked-against-openssl.yml b/linking/static/openssl/linked-against-openssl-via-x86-assembly.yml
similarity index 91%
rename from linking/static/openssl/linked-against-openssl.yml
rename to linking/static/openssl/linked-against-openssl-via-x86-assembly.yml
index 4f49aea81..4a19baf25 100644
--- a/linking/static/openssl/linked-against-openssl.yml
+++ b/linking/static/openssl/linked-against-openssl-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: linked against OpenSSL
+    name: linked against OpenSSL via x86 assembly
     namespace: linking/static/openssl
     authors:
       - william.ballenthin@mandiant.com
diff --git a/load-code/pe/enumerate-pe-sections.yml b/load-code/pe/enumerate-pe-sections-via-x86-assembly.yml
similarity index 97%
rename from load-code/pe/enumerate-pe-sections.yml
rename to load-code/pe/enumerate-pe-sections-via-x86-assembly.yml
index a992b380c..75cfac73a 100644
--- a/load-code/pe/enumerate-pe-sections.yml
+++ b/load-code/pe/enumerate-pe-sections-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: enumerate PE sections
+    name: enumerate PE sections via x86 assembly
     namespace: load-code/pe
     authors:
       - "@Ana06"
diff --git a/load-code/pe/parse-pe-header.yml b/load-code/pe/parse-pe-header-via-x86-assembly.yml
similarity index 98%
rename from load-code/pe/parse-pe-header.yml
rename to load-code/pe/parse-pe-header-via-x86-assembly.yml
index 20dc691b1..0d99fd18b 100644
--- a/load-code/pe/parse-pe-header.yml
+++ b/load-code/pe/parse-pe-header-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: parse PE header
+    name: parse PE header via x86 assembly
     namespace: load-code/pe
     authors:
       - moritz.raabe@mandiant.com
diff --git a/load-code/pe/rebuild-import-table.yml b/load-code/pe/rebuild-import-table-via-x86-assembly.yml
similarity index 96%
rename from load-code/pe/rebuild-import-table.yml
rename to load-code/pe/rebuild-import-table-via-x86-assembly.yml
index 8dd4eae12..2c0aecfab 100644
--- a/load-code/pe/rebuild-import-table.yml
+++ b/load-code/pe/rebuild-import-table-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: rebuild import table
+    name: rebuild import table via x86 assembly
     namespace: load-code/pe
     authors:
       - "@Ana06"
diff --git a/load-code/pe/resolve-function-by-parsing-pe-exports.yml b/load-code/pe/resolve-function-by-parsing-pe-exports-via-x86-assembly.yml
similarity index 94%
rename from load-code/pe/resolve-function-by-parsing-pe-exports.yml
rename to load-code/pe/resolve-function-by-parsing-pe-exports-via-x86-assembly.yml
index a32978499..a900ba653 100755
--- a/load-code/pe/resolve-function-by-parsing-pe-exports.yml
+++ b/load-code/pe/resolve-function-by-parsing-pe-exports-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: resolve function by parsing PE exports
+    name: resolve function by parsing PE exports via x86 assembly
     namespace: load-code/pe
     authors:
       - sara-rn
diff --git a/nursery/decode-data-using-base64-via-vbmi-lookup-table.yml b/nursery/decode-data-using-base64-via-vbmi-lookup-table-via-x86-assembly.yml
similarity index 95%
rename from nursery/decode-data-using-base64-via-vbmi-lookup-table.yml
rename to nursery/decode-data-using-base64-via-vbmi-lookup-table-via-x86-assembly.yml
index 499d15a81..49827b2b1 100644
--- a/nursery/decode-data-using-base64-via-vbmi-lookup-table.yml
+++ b/nursery/decode-data-using-base64-via-vbmi-lookup-table-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: decode data using Base64 via VBMI lookup table
+    name: decode data using Base64 via VBMI lookup table via x86 assembly
     namespace: data-manipulation/encoding/base64
     authors:
       - still@teamt5.org
diff --git a/nursery/execute-syscall.yml b/nursery/execute-syscall-via-x86-assembly.yml
similarity index 95%
rename from nursery/execute-syscall.yml
rename to nursery/execute-syscall-via-x86-assembly.yml
index 0f61a2500..a7ed98fd3 100644
--- a/nursery/execute-syscall.yml
+++ b/nursery/execute-syscall-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: execute syscall
+    name: execute syscall via x86 assembly
     namespace: anti-analysis
     authors:
       - "@kulinacs"
diff --git a/nursery/get-ntoskrnl-base-address.yml b/nursery/get-ntoskrnl-base-address-via-x86-assembly.yml
similarity index 94%
rename from nursery/get-ntoskrnl-base-address.yml
rename to nursery/get-ntoskrnl-base-address-via-x86-assembly.yml
index 157d9bc96..5494e60a2 100644
--- a/nursery/get-ntoskrnl-base-address.yml
+++ b/nursery/get-ntoskrnl-base-address-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: get ntoskrnl base address
+    name: get ntoskrnl base address via x86 assembly
     namespace: linking/runtime-linking
     authors:
       - "@mr-tz"
diff --git a/nursery/hook-routines-via-dlsym-rtld_next.yml b/nursery/hook-routines-via-dlsym-rtld_next-via-x86-assembly.yml
similarity index 90%
rename from nursery/hook-routines-via-dlsym-rtld_next.yml
rename to nursery/hook-routines-via-dlsym-rtld_next-via-x86-assembly.yml
index 9640bea57..5315980c9 100644
--- a/nursery/hook-routines-via-dlsym-rtld_next.yml
+++ b/nursery/hook-routines-via-dlsym-rtld_next-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: hook routines via dlsym RTLD_NEXT
+    name: hook routines via dlsym RTLD_NEXT via x86 assembly
     namespace: linking/hooking
     authors:
       - william.ballenthin@mandiant.com
diff --git a/nursery/reference-processor-manufacturer-constants.yml b/nursery/reference-processor-manufacturer-constants-via-x86-assembly.yml
similarity index 92%
rename from nursery/reference-processor-manufacturer-constants.yml
rename to nursery/reference-processor-manufacturer-constants-via-x86-assembly.yml
index 1002ba4c6..9bdb81340 100644
--- a/nursery/reference-processor-manufacturer-constants.yml
+++ b/nursery/reference-processor-manufacturer-constants-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: reference processor manufacturer constants
+    name: reference processor manufacturer constants via x86 assembly
     namespace: anti-analysis/anti-vm/vm-detection
     authors:
       - matthew.williams@mandiant.com
diff --git a/nursery/send-sms-on-android.yml b/nursery/send-sms-on-android-via-x86-assembly.yml
similarity index 93%
rename from nursery/send-sms-on-android.yml
rename to nursery/send-sms-on-android-via-x86-assembly.yml
index 1d47168db..47ae03e3d 100644
--- a/nursery/send-sms-on-android.yml
+++ b/nursery/send-sms-on-android-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: send SMS on Android
+    name: send SMS on Android via x86 assembly
     namespace: communication/sms
     authors:
       - "@mr-tz"

From a87eb3e9a792ff2cb73aa23fb7b6df40b901e7f0 Mon Sep 17 00:00:00 2001
From: akh7177 <abhyudayjkm@gmail.com>
Date: Fri, 28 Feb 2025 22:32:12 +0530
Subject: [PATCH 2/6] Revert non-x86-specific rules to original names and
 correctly mark x86 rules

---
 ...line-via-x86-assembly.yml => patch-process-command-line.yml} | 2 +-
 ...with-crc32-via-x86-assembly.yml => hash-data-with-crc32.yml} | 2 +-
 ...lib-via-x86-assembly.yml => decompress-data-using-aplib.yml} | 2 +-
 ...g-ucl-via-x86-assembly.yml => decompress-data-using-ucl.yml} | 2 +-
 ...=> decode-data-using-base64-via-dword-translation-table.yml} | 2 +-
 ...ts-via-x86-assembly.yml => manually-build-aes-constants.yml} | 2 +-
 ...6-assembly.yml => encrypt-data-using-hc-128-via-wolfssl.yml} | 2 +-
 ...c-128-via-x86-assembly.yml => encrypt-data-using-hc-128.yml} | 2 +-
 ...uk-via-x86-assembly.yml => encrypt-data-using-sosemanuk.yml} | 2 +-
 ...sing-tea-via-x86-assembly.yml => decrypt-data-using-tea.yml} | 2 +-
 ...sing-tea-via-x86-assembly.yml => encrypt-data-using-tea.yml} | 2 +-
 ...-xxtea-via-x86-assembly.yml => encrypt-data-using-xxtea.yml} | 2 +-
 ...using-djb2-via-x86-assembly.yml => hash-data-using-djb2.yml} | 2 +-
 ...a-using-fnv-via-x86-assembly.yml => hash-data-using-fnv.yml} | 2 +-
 ...murmur3-via-x86-assembly.yml => hash-data-using-murmur3.yml} | 2 +-
 ...=> create-a-process-with-modified-io-handles-and-window.yml} | 2 +-
 ...n-linux-via-x86-assembly.yml => create-process-on-linux.yml} | 2 +-
 ...ssembly.yml => connect-to-wmi-namespace-via-wbemlocator.yml} | 2 +-
 lib/{get-os-version-via-x86-assembly.yml => get-os-version.yml} | 2 +-
 ...ment-card-number-using-luhn-algorithm-with-lookup-table.yml} | 2 +-
 ...t-card-number-using-luhn-algorithm-with-no-lookup-table.yml} | 2 +-
 ...-x86-assembly.yml => populate-syswhispers2-syscall-list.yml} | 2 +-
 ...mbly.yml => resolve-function-by-brute-ratel-badger-hash.yml} | 2 +-
 ...a-x86-assembly.yml => resolve-function-by-fin8-fasthash.yml} | 2 +-
 ...-openssl-via-x86-assembly.yml => linked-against-openssl.yml} | 2 +-
 ...-sections-via-x86-assembly.yml => enumerate-pe-sections.yml} | 2 +-
 ...parse-pe-header-via-x86-assembly.yml => parse-pe-header.yml} | 2 +-
 ...port-table-via-x86-assembly.yml => rebuild-import-table.yml} | 2 +-
 ...-assembly.yml => resolve-function-by-parsing-pe-exports.yml} | 2 +-
 ...y.yml => decode-data-using-base64-via-vbmi-lookup-table.yml} | 2 +-
 ...-on-android-via-x86-assembly.yml => send-sms-on-android.yml} | 2 +-
 31 files changed, 31 insertions(+), 31 deletions(-)
 rename anti-analysis/anti-forensic/{patch-process-command-line-via-x86-assembly.yml => patch-process-command-line.yml} (97%)
 rename data-manipulation/checksum/crc32/{hash-data-with-crc32-via-x86-assembly.yml => hash-data-with-crc32.yml} (95%)
 rename data-manipulation/compression/{decompress-data-using-aplib-via-x86-assembly.yml => decompress-data-using-aplib.yml} (96%)
 rename data-manipulation/compression/{decompress-data-using-ucl-via-x86-assembly.yml => decompress-data-using-ucl.yml} (96%)
 rename data-manipulation/encoding/base64/{decode-data-using-base64-via-dword-translation-table-via-x86-assembly.yml => decode-data-using-base64-via-dword-translation-table.yml} (97%)
 rename data-manipulation/encryption/aes/{manually-build-aes-constants-via-x86-assembly.yml => manually-build-aes-constants.yml} (95%)
 rename data-manipulation/encryption/hc-128/{encrypt-data-using-hc-128-via-wolfssl-via-x86-assembly.yml => encrypt-data-using-hc-128-via-wolfssl.yml} (95%)
 rename data-manipulation/encryption/hc-128/{encrypt-data-using-hc-128-via-x86-assembly.yml => encrypt-data-using-hc-128.yml} (97%)
 rename data-manipulation/encryption/sosemanuk/{encrypt-data-using-sosemanuk-via-x86-assembly.yml => encrypt-data-using-sosemanuk.yml} (97%)
 rename data-manipulation/encryption/tea/{decrypt-data-using-tea-via-x86-assembly.yml => decrypt-data-using-tea.yml} (96%)
 rename data-manipulation/encryption/tea/{encrypt-data-using-tea-via-x86-assembly.yml => encrypt-data-using-tea.yml} (96%)
 rename data-manipulation/encryption/xxtea/{encrypt-data-using-xxtea-via-x86-assembly.yml => encrypt-data-using-xxtea.yml} (96%)
 rename data-manipulation/hashing/djb2/{hash-data-using-djb2-via-x86-assembly.yml => hash-data-using-djb2.yml} (94%)
 rename data-manipulation/hashing/fnv/{hash-data-using-fnv-via-x86-assembly.yml => hash-data-using-fnv.yml} (97%)
 rename data-manipulation/hashing/murmur/{hash-data-using-murmur3-via-x86-assembly.yml => hash-data-using-murmur3.yml} (97%)
 rename host-interaction/process/create/{create-a-process-with-modified-io-handles-and-window-via-x86-assembly.yml => create-a-process-with-modified-io-handles-and-window.yml} (96%)
 rename host-interaction/process/create/{create-process-on-linux-via-x86-assembly.yml => create-process-on-linux.yml} (93%)
 rename host-interaction/wmi/{connect-to-wmi-namespace-via-wbemlocator-via-x86-assembly.yml => connect-to-wmi-namespace-via-wbemlocator.yml} (95%)
 rename lib/{get-os-version-via-x86-assembly.yml => get-os-version.yml} (95%)
 rename lib/{validate-payment-card-number-using-luhn-algorithm-with-lookup-table-via-x86-assembly.yml => validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml} (98%)
 rename lib/{validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table-via-x86-assembly.yml => validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml} (98%)
 rename linking/runtime-linking/{populate-syswhispers2-syscall-list-via-x86-assembly.yml => populate-syswhispers2-syscall-list.yml} (95%)
 rename linking/runtime-linking/{resolve-function-by-brute-ratel-badger-hash-via-x86-assembly.yml => resolve-function-by-brute-ratel-badger-hash.yml} (94%)
 rename linking/runtime-linking/{resolve-function-by-fin8-fasthash-via-x86-assembly.yml => resolve-function-by-fin8-fasthash.yml} (95%)
 rename linking/static/openssl/{linked-against-openssl-via-x86-assembly.yml => linked-against-openssl.yml} (91%)
 rename load-code/pe/{enumerate-pe-sections-via-x86-assembly.yml => enumerate-pe-sections.yml} (97%)
 rename load-code/pe/{parse-pe-header-via-x86-assembly.yml => parse-pe-header.yml} (98%)
 rename load-code/pe/{rebuild-import-table-via-x86-assembly.yml => rebuild-import-table.yml} (96%)
 rename load-code/pe/{resolve-function-by-parsing-pe-exports-via-x86-assembly.yml => resolve-function-by-parsing-pe-exports.yml} (94%)
 rename nursery/{decode-data-using-base64-via-vbmi-lookup-table-via-x86-assembly.yml => decode-data-using-base64-via-vbmi-lookup-table.yml} (95%)
 rename nursery/{send-sms-on-android-via-x86-assembly.yml => send-sms-on-android.yml} (93%)

diff --git a/anti-analysis/anti-forensic/patch-process-command-line-via-x86-assembly.yml b/anti-analysis/anti-forensic/patch-process-command-line.yml
similarity index 97%
rename from anti-analysis/anti-forensic/patch-process-command-line-via-x86-assembly.yml
rename to anti-analysis/anti-forensic/patch-process-command-line.yml
index b4a95da43..4a1d0f021 100644
--- a/anti-analysis/anti-forensic/patch-process-command-line-via-x86-assembly.yml
+++ b/anti-analysis/anti-forensic/patch-process-command-line.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: patch process command line via x86 assembly
+    name: patch process command line
     namespace: anti-analysis/anti-forensic
     authors:
       - william.ballenthin@mandiant.com
diff --git a/data-manipulation/checksum/crc32/hash-data-with-crc32-via-x86-assembly.yml b/data-manipulation/checksum/crc32/hash-data-with-crc32.yml
similarity index 95%
rename from data-manipulation/checksum/crc32/hash-data-with-crc32-via-x86-assembly.yml
rename to data-manipulation/checksum/crc32/hash-data-with-crc32.yml
index 3aebbec6c..f258a193a 100644
--- a/data-manipulation/checksum/crc32/hash-data-with-crc32-via-x86-assembly.yml
+++ b/data-manipulation/checksum/crc32/hash-data-with-crc32.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: hash data with CRC32 via x86 assembly
+    name: hash data with CRC32
     namespace: data-manipulation/checksum/crc32
     authors:
       - moritz.raabe@mandiant.com
diff --git a/data-manipulation/compression/decompress-data-using-aplib-via-x86-assembly.yml b/data-manipulation/compression/decompress-data-using-aplib.yml
similarity index 96%
rename from data-manipulation/compression/decompress-data-using-aplib-via-x86-assembly.yml
rename to data-manipulation/compression/decompress-data-using-aplib.yml
index 9d5849f41..6f6f4b58c 100644
--- a/data-manipulation/compression/decompress-data-using-aplib-via-x86-assembly.yml
+++ b/data-manipulation/compression/decompress-data-using-aplib.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: decompress data using aPLib via x86 assembly
+    name: decompress data using aPLib
     namespace: data-manipulation/compression
     authors:
       - "@r3c0nst (Frank Boldewin)"
diff --git a/data-manipulation/compression/decompress-data-using-ucl-via-x86-assembly.yml b/data-manipulation/compression/decompress-data-using-ucl.yml
similarity index 96%
rename from data-manipulation/compression/decompress-data-using-ucl-via-x86-assembly.yml
rename to data-manipulation/compression/decompress-data-using-ucl.yml
index ad96f04c0..937e644da 100644
--- a/data-manipulation/compression/decompress-data-using-ucl-via-x86-assembly.yml
+++ b/data-manipulation/compression/decompress-data-using-ucl.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: decompress data using UCL via x86 assembly
+    name: decompress data using UCL
     namespace: data-manipulation/compression
     authors:
       - jakub.jozwiak@mandiant.com
diff --git a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table-via-x86-assembly.yml b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml
similarity index 97%
rename from data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table-via-x86-assembly.yml
rename to data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml
index 2cce8564e..d8c1b9e6b 100644
--- a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table-via-x86-assembly.yml
+++ b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: decode data using Base64 via dword translation table via x86 assembly
+    name: decode data using Base64 via dword translation table
     namespace: data-manipulation/encoding/base64
     authors:
       - gilbert.elliot@mandiant.com
diff --git a/data-manipulation/encryption/aes/manually-build-aes-constants-via-x86-assembly.yml b/data-manipulation/encryption/aes/manually-build-aes-constants.yml
similarity index 95%
rename from data-manipulation/encryption/aes/manually-build-aes-constants-via-x86-assembly.yml
rename to data-manipulation/encryption/aes/manually-build-aes-constants.yml
index 399356331..b49ac0b69 100644
--- a/data-manipulation/encryption/aes/manually-build-aes-constants-via-x86-assembly.yml
+++ b/data-manipulation/encryption/aes/manually-build-aes-constants.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: manually build AES constants via x86 assembly
+    name: manually build AES constants
     namespace: data-manipulation/encryption/aes
     authors:
       - huynh.t.nhan@gmail.com
diff --git a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl-via-x86-assembly.yml b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml
similarity index 95%
rename from data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl-via-x86-assembly.yml
rename to data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml
index e0236958d..8211d5e07 100755
--- a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl-via-x86-assembly.yml
+++ b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml
@@ -1,7 +1,7 @@
 # generated using capa explorer for IDA Pro
 rule:
   meta:
-    name: encrypt data using HC-128 via WolfSSL via x86 assembly
+    name: encrypt data using HC-128 via WolfSSL
     namespace: data-manipulation/encryption/hc-128
     authors:
       - blaine.stancill@mandiant.com
diff --git a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-x86-assembly.yml b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128.yml
similarity index 97%
rename from data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-x86-assembly.yml
rename to data-manipulation/encryption/hc-128/encrypt-data-using-hc-128.yml
index 9ff253b5a..a401c9c05 100644
--- a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-x86-assembly.yml
+++ b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: encrypt data using HC-128 via x86 assembly
+    name: encrypt data using HC-128
     namespace: data-manipulation/encryption/hc-128
     authors:
       - awillia2@cisco.com
diff --git a/data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk-via-x86-assembly.yml b/data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk.yml
similarity index 97%
rename from data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk-via-x86-assembly.yml
rename to data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk.yml
index 018bf3778..a13a20860 100644
--- a/data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk-via-x86-assembly.yml
+++ b/data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: encrypt data using Sosemanuk via x86 assembly
+    name: encrypt data using Sosemanuk
     namespace: data-manipulation/encryption/sosemanuk
     authors:
       - awillia2@cisco.com
diff --git a/data-manipulation/encryption/tea/decrypt-data-using-tea-via-x86-assembly.yml b/data-manipulation/encryption/tea/decrypt-data-using-tea.yml
similarity index 96%
rename from data-manipulation/encryption/tea/decrypt-data-using-tea-via-x86-assembly.yml
rename to data-manipulation/encryption/tea/decrypt-data-using-tea.yml
index 284cbc908..97d826fa9 100755
--- a/data-manipulation/encryption/tea/decrypt-data-using-tea-via-x86-assembly.yml
+++ b/data-manipulation/encryption/tea/decrypt-data-using-tea.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: decrypt data using TEA via x86 assembly
+    name: decrypt data using TEA
     namespace: data-manipulation/encryption/tea
     authors:
       - william.ballenthin@mandiant.com
diff --git a/data-manipulation/encryption/tea/encrypt-data-using-tea-via-x86-assembly.yml b/data-manipulation/encryption/tea/encrypt-data-using-tea.yml
similarity index 96%
rename from data-manipulation/encryption/tea/encrypt-data-using-tea-via-x86-assembly.yml
rename to data-manipulation/encryption/tea/encrypt-data-using-tea.yml
index d5a4d5945..7262cb1db 100755
--- a/data-manipulation/encryption/tea/encrypt-data-using-tea-via-x86-assembly.yml
+++ b/data-manipulation/encryption/tea/encrypt-data-using-tea.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: encrypt data using TEA via x86 assembly
+    name: encrypt data using TEA
     namespace: data-manipulation/encryption/tea
     authors:
       - william.ballenthin@mandiant.com
diff --git a/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea-via-x86-assembly.yml b/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml
similarity index 96%
rename from data-manipulation/encryption/xxtea/encrypt-data-using-xxtea-via-x86-assembly.yml
rename to data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml
index e192df7d8..565256c6f 100755
--- a/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea-via-x86-assembly.yml
+++ b/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: encrypt data using XXTEA via x86 assembly
+    name: encrypt data using XXTEA
     namespace: data-manipulation/encryption/xxtea
     authors:
       - raymond.leong@mandiant.com
diff --git a/data-manipulation/hashing/djb2/hash-data-using-djb2-via-x86-assembly.yml b/data-manipulation/hashing/djb2/hash-data-using-djb2.yml
similarity index 94%
rename from data-manipulation/hashing/djb2/hash-data-using-djb2-via-x86-assembly.yml
rename to data-manipulation/hashing/djb2/hash-data-using-djb2.yml
index c3e270f26..43a178796 100644
--- a/data-manipulation/hashing/djb2/hash-data-using-djb2-via-x86-assembly.yml
+++ b/data-manipulation/hashing/djb2/hash-data-using-djb2.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: hash data using djb2 via x86 assembly
+    name: hash data using djb2
     namespace: data-manipulation/hashing/djb2
     authors:
       - awillia2@cisco.com
diff --git a/data-manipulation/hashing/fnv/hash-data-using-fnv-via-x86-assembly.yml b/data-manipulation/hashing/fnv/hash-data-using-fnv.yml
similarity index 97%
rename from data-manipulation/hashing/fnv/hash-data-using-fnv-via-x86-assembly.yml
rename to data-manipulation/hashing/fnv/hash-data-using-fnv.yml
index 535d1865f..40ddfa616 100644
--- a/data-manipulation/hashing/fnv/hash-data-using-fnv-via-x86-assembly.yml
+++ b/data-manipulation/hashing/fnv/hash-data-using-fnv.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: hash data using fnv via x86 assembly
+    name: hash data using fnv
     namespace: data-manipulation/hashing/fnv
     authors:
       - moritz.raabe@mandiant.com
diff --git a/data-manipulation/hashing/murmur/hash-data-using-murmur3-via-x86-assembly.yml b/data-manipulation/hashing/murmur/hash-data-using-murmur3.yml
similarity index 97%
rename from data-manipulation/hashing/murmur/hash-data-using-murmur3-via-x86-assembly.yml
rename to data-manipulation/hashing/murmur/hash-data-using-murmur3.yml
index 77ec7b221..4b87aca3f 100644
--- a/data-manipulation/hashing/murmur/hash-data-using-murmur3-via-x86-assembly.yml
+++ b/data-manipulation/hashing/murmur/hash-data-using-murmur3.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: hash data using murmur3 via x86 assembly
+    name: hash data using murmur3
     namespace: data-manipulation/hashing/murmur
     authors:
       - william.ballenthin@mandiant.com
diff --git a/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window-via-x86-assembly.yml b/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window.yml
similarity index 96%
rename from host-interaction/process/create/create-a-process-with-modified-io-handles-and-window-via-x86-assembly.yml
rename to host-interaction/process/create/create-a-process-with-modified-io-handles-and-window.yml
index 00eeabe01..292df5a22 100644
--- a/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window-via-x86-assembly.yml
+++ b/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: create a process with modified I/O handles and window via x86 assembly
+    name: create a process with modified I/O handles and window
     namespace: host-interaction/process/create
     authors:
       - matthew.williams@mandiant.com
diff --git a/host-interaction/process/create/create-process-on-linux-via-x86-assembly.yml b/host-interaction/process/create/create-process-on-linux.yml
similarity index 93%
rename from host-interaction/process/create/create-process-on-linux-via-x86-assembly.yml
rename to host-interaction/process/create/create-process-on-linux.yml
index b186ba22a..8394567ca 100644
--- a/host-interaction/process/create/create-process-on-linux-via-x86-assembly.yml
+++ b/host-interaction/process/create/create-process-on-linux.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: create process on Linux via x86 assembly
+    name: create process on Linux
     namespace: host-interaction/process/create
     authors:
       - joakim@intezer.com
diff --git a/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator-via-x86-assembly.yml b/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml
similarity index 95%
rename from host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator-via-x86-assembly.yml
rename to host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml
index 049ac908c..d62247bb5 100644
--- a/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator-via-x86-assembly.yml
+++ b/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml
@@ -1,7 +1,7 @@
 # generated using capa explorer for IDA Pro
 rule:
   meta:
-    name: connect to WMI namespace via WbemLocator via x86 assembly
+    name: connect to WMI namespace via WbemLocator
     namespace: host-interaction/wmi
     authors:
       - michael.hunhoff@mandiant.com
diff --git a/lib/get-os-version-via-x86-assembly.yml b/lib/get-os-version.yml
similarity index 95%
rename from lib/get-os-version-via-x86-assembly.yml
rename to lib/get-os-version.yml
index 1443cb777..2cb26218d 100644
--- a/lib/get-os-version-via-x86-assembly.yml
+++ b/lib/get-os-version.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: get OS version via x86 assembly
+    name: get OS version
     authors:
       - "@mr-tz"
     lib: true
diff --git a/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table-via-x86-assembly.yml b/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml
similarity index 98%
rename from lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table-via-x86-assembly.yml
rename to lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml
index 5ae117dc1..bbac2e8ad 100644
--- a/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table-via-x86-assembly.yml
+++ b/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: validate payment card number using luhn algorithm with lookup table via x86 assembly
+    name: validate payment card number using luhn algorithm with lookup table
     authors:
       - "@_re_fox"
     lib: true
diff --git a/lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table-via-x86-assembly.yml b/lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml
similarity index 98%
rename from lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table-via-x86-assembly.yml
rename to lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml
index f66fcdf58..c190adaa1 100644
--- a/lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table-via-x86-assembly.yml
+++ b/lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: validate payment card number using luhn algorithm with no lookup table via x86 assembly
+    name: validate payment card number using luhn algorithm with no lookup table
     authors:
       - "@_re_fox"
     lib: true
diff --git a/linking/runtime-linking/populate-syswhispers2-syscall-list-via-x86-assembly.yml b/linking/runtime-linking/populate-syswhispers2-syscall-list.yml
similarity index 95%
rename from linking/runtime-linking/populate-syswhispers2-syscall-list-via-x86-assembly.yml
rename to linking/runtime-linking/populate-syswhispers2-syscall-list.yml
index f96334c8b..96a12a282 100644
--- a/linking/runtime-linking/populate-syswhispers2-syscall-list-via-x86-assembly.yml
+++ b/linking/runtime-linking/populate-syswhispers2-syscall-list.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: populate SysWhispers2 syscall list via x86 assembly
+    name: populate SysWhispers2 syscall list
     namespace: linking/runtime-linking
     authors:
       - still@teamt5.org
diff --git a/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash-via-x86-assembly.yml b/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml
similarity index 94%
rename from linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash-via-x86-assembly.yml
rename to linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml
index 89fe7a433..807f4b8d2 100644
--- a/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash-via-x86-assembly.yml
+++ b/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: resolve function by Brute Ratel Badger hash via x86 assembly
+    name: resolve function by Brute Ratel Badger hash
     namespace: linking/runtime-linking
     authors:
       - jakub.jozwiak@mandiant.com
diff --git a/linking/runtime-linking/resolve-function-by-fin8-fasthash-via-x86-assembly.yml b/linking/runtime-linking/resolve-function-by-fin8-fasthash.yml
similarity index 95%
rename from linking/runtime-linking/resolve-function-by-fin8-fasthash-via-x86-assembly.yml
rename to linking/runtime-linking/resolve-function-by-fin8-fasthash.yml
index 68b1cd2ce..a4c9f239d 100644
--- a/linking/runtime-linking/resolve-function-by-fin8-fasthash-via-x86-assembly.yml
+++ b/linking/runtime-linking/resolve-function-by-fin8-fasthash.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: resolve function by FIN8 fasthash via x86 assembly
+    name: resolve function by FIN8 fasthash
     namespace: linking/runtime-linking
     authors:
       - "@r3c0nst (Frank Boldewin)"
diff --git a/linking/static/openssl/linked-against-openssl-via-x86-assembly.yml b/linking/static/openssl/linked-against-openssl.yml
similarity index 91%
rename from linking/static/openssl/linked-against-openssl-via-x86-assembly.yml
rename to linking/static/openssl/linked-against-openssl.yml
index 4a19baf25..4f49aea81 100644
--- a/linking/static/openssl/linked-against-openssl-via-x86-assembly.yml
+++ b/linking/static/openssl/linked-against-openssl.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: linked against OpenSSL via x86 assembly
+    name: linked against OpenSSL
     namespace: linking/static/openssl
     authors:
       - william.ballenthin@mandiant.com
diff --git a/load-code/pe/enumerate-pe-sections-via-x86-assembly.yml b/load-code/pe/enumerate-pe-sections.yml
similarity index 97%
rename from load-code/pe/enumerate-pe-sections-via-x86-assembly.yml
rename to load-code/pe/enumerate-pe-sections.yml
index 75cfac73a..a992b380c 100644
--- a/load-code/pe/enumerate-pe-sections-via-x86-assembly.yml
+++ b/load-code/pe/enumerate-pe-sections.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: enumerate PE sections via x86 assembly
+    name: enumerate PE sections
     namespace: load-code/pe
     authors:
       - "@Ana06"
diff --git a/load-code/pe/parse-pe-header-via-x86-assembly.yml b/load-code/pe/parse-pe-header.yml
similarity index 98%
rename from load-code/pe/parse-pe-header-via-x86-assembly.yml
rename to load-code/pe/parse-pe-header.yml
index 0d99fd18b..20dc691b1 100644
--- a/load-code/pe/parse-pe-header-via-x86-assembly.yml
+++ b/load-code/pe/parse-pe-header.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: parse PE header via x86 assembly
+    name: parse PE header
     namespace: load-code/pe
     authors:
       - moritz.raabe@mandiant.com
diff --git a/load-code/pe/rebuild-import-table-via-x86-assembly.yml b/load-code/pe/rebuild-import-table.yml
similarity index 96%
rename from load-code/pe/rebuild-import-table-via-x86-assembly.yml
rename to load-code/pe/rebuild-import-table.yml
index 2c0aecfab..8dd4eae12 100644
--- a/load-code/pe/rebuild-import-table-via-x86-assembly.yml
+++ b/load-code/pe/rebuild-import-table.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: rebuild import table via x86 assembly
+    name: rebuild import table
     namespace: load-code/pe
     authors:
       - "@Ana06"
diff --git a/load-code/pe/resolve-function-by-parsing-pe-exports-via-x86-assembly.yml b/load-code/pe/resolve-function-by-parsing-pe-exports.yml
similarity index 94%
rename from load-code/pe/resolve-function-by-parsing-pe-exports-via-x86-assembly.yml
rename to load-code/pe/resolve-function-by-parsing-pe-exports.yml
index a900ba653..a32978499 100755
--- a/load-code/pe/resolve-function-by-parsing-pe-exports-via-x86-assembly.yml
+++ b/load-code/pe/resolve-function-by-parsing-pe-exports.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: resolve function by parsing PE exports via x86 assembly
+    name: resolve function by parsing PE exports
     namespace: load-code/pe
     authors:
       - sara-rn
diff --git a/nursery/decode-data-using-base64-via-vbmi-lookup-table-via-x86-assembly.yml b/nursery/decode-data-using-base64-via-vbmi-lookup-table.yml
similarity index 95%
rename from nursery/decode-data-using-base64-via-vbmi-lookup-table-via-x86-assembly.yml
rename to nursery/decode-data-using-base64-via-vbmi-lookup-table.yml
index 49827b2b1..499d15a81 100644
--- a/nursery/decode-data-using-base64-via-vbmi-lookup-table-via-x86-assembly.yml
+++ b/nursery/decode-data-using-base64-via-vbmi-lookup-table.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: decode data using Base64 via VBMI lookup table via x86 assembly
+    name: decode data using Base64 via VBMI lookup table
     namespace: data-manipulation/encoding/base64
     authors:
       - still@teamt5.org
diff --git a/nursery/send-sms-on-android-via-x86-assembly.yml b/nursery/send-sms-on-android.yml
similarity index 93%
rename from nursery/send-sms-on-android-via-x86-assembly.yml
rename to nursery/send-sms-on-android.yml
index 47ae03e3d..1d47168db 100644
--- a/nursery/send-sms-on-android-via-x86-assembly.yml
+++ b/nursery/send-sms-on-android.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: send SMS on Android via x86 assembly
+    name: send SMS on Android
     namespace: communication/sms
     authors:
       - "@mr-tz"

From 85bb79d7447f145e2f15ec362638b9f4df20249b Mon Sep 17 00:00:00 2001
From: akh7177 <abhyudayjkm@gmail.com>
Date: Sat, 1 Mar 2025 13:15:58 +0530
Subject: [PATCH 3/6] Fix rule logic for
 get-ntoskrnl-base-address-via-x86-assembly.yml

---
 ...get-ntoskrnl-base-address-via-x86-assembly.yml | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/nursery/get-ntoskrnl-base-address-via-x86-assembly.yml b/nursery/get-ntoskrnl-base-address-via-x86-assembly.yml
index 5494e60a2..e00deab68 100644
--- a/nursery/get-ntoskrnl-base-address-via-x86-assembly.yml
+++ b/nursery/get-ntoskrnl-base-address-via-x86-assembly.yml
@@ -4,6 +4,7 @@ rule:
     namespace: linking/runtime-linking
     authors:
       - "@mr-tz"
+      - "@akh7177"
     scopes:
       static: function
       dynamic: unsupported  # requires offset features
@@ -19,9 +20,11 @@ rule:
           - description: returns RTL_PROCESS_MODULES structure
           - number: 0xB = SystemModuleInformation
           - match: get system information on Windows
-      - and:
-        - arch: i386
-        - offset: 0xC = RTL_PROCESS_MODULES.Modules[0].ImageBase
-      - and:
-        - arch: amd64
-        - offset: 0x18 = RTL_PROCESS_MODULES.Modules[0].ImageBase
+      - or:
+        - and:
+          - arch: i386
+          - offset: 0xC = RTL_PROCESS_MODULES.Modules[0].ImageBase
+        - and:
+          - arch: amd64
+          - offset: 0x18 = RTL_PROCESS_MODULES.Modules[0].ImageBase
+

From 654180dc07152170ecd853de6b5a3e192bb59bb6 Mon Sep 17 00:00:00 2001
From: Abhyuday Hegde <abhyudayjkm@gmail.com>
Date: Tue, 11 Mar 2025 07:58:45 +0530
Subject: [PATCH 4/6] Rename architecture-specific rules and fix logic for
 get-ntoskrnl-base-address-via-x86-assembly.yml

---
 nursery/get-ntoskrnl-base-address-via-x86-assembly.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/nursery/get-ntoskrnl-base-address-via-x86-assembly.yml b/nursery/get-ntoskrnl-base-address-via-x86-assembly.yml
index e00deab68..d1d8a5ebb 100644
--- a/nursery/get-ntoskrnl-base-address-via-x86-assembly.yml
+++ b/nursery/get-ntoskrnl-base-address-via-x86-assembly.yml
@@ -27,4 +27,3 @@ rule:
         - and:
           - arch: amd64
           - offset: 0x18 = RTL_PROCESS_MODULES.Modules[0].ImageBase
-

From ec3e955e14cc6d8a4643f9ed29e6212d74c35868 Mon Sep 17 00:00:00 2001
From: Abhyuday Hegde <abhyudayjkm@gmail.com>
Date: Tue, 11 Mar 2025 22:17:09 +0530
Subject: [PATCH 5/6] Rename architecture-specific rules and fix logic for
 get-ntoskrnl-base-address-via-x86-assembly.yml

---
 anti-analysis/packer/generic/packed-with-generic-packer.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/anti-analysis/packer/generic/packed-with-generic-packer.yml b/anti-analysis/packer/generic/packed-with-generic-packer.yml
index f388bfddc..55f3d2a40 100644
--- a/anti-analysis/packer/generic/packed-with-generic-packer.yml
+++ b/anti-analysis/packer/generic/packed-with-generic-packer.yml
@@ -23,4 +23,4 @@ rule:
         - mnemonic: popad  # vivisect
       - characteristic: cross section flow
       - not:
-        - match: contain pusha popa sequence
+        - match: contain pusha popa sequence via x86 assembly

From 5f55ee4a9aa9991b3ecc1109011a0741c4f19739 Mon Sep 17 00:00:00 2001
From: Abhyuday Hegde <abhyudayjkm@gmail.com>
Date: Wed, 12 Mar 2025 13:35:39 +0530
Subject: [PATCH 6/6] Rename architecture-specific rules and update rule name
 and match feature inside YAML files

---
 .../debugger-detection/check-for-peb-beingdebugged-flag.yml   | 2 +-
 .../check-for-peb-ntglobalflag-flag-via-x86-assembly.yml      | 2 +-
 anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml  | 2 +-
 .../hc-128/encrypt-data-using-hc-128-via-wolfssl.yml          | 0
 .../rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml | 0
 data-manipulation/encryption/tea/decrypt-data-using-tea.yml   | 0
 data-manipulation/encryption/tea/encrypt-data-using-tea.yml   | 0
 data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml | 0
 .../encryption/xxtea/encrypt-data-using-xxtea.yml             | 0
 .../cpu/get-number-of-processors-via-x86-assembly.yml         | 2 +-
 .../log/clfs/read-data-from-clfs-log-container.yml            | 0
 host-interaction/process/create/create-process-on-linux.yml   | 2 +-
 .../process/get-process-heap-flags-via-x86-assembly.yml       | 2 +-
 .../process/get-process-heap-force-flags-via-x86-assembly.yml | 2 +-
 ...assembly.yml => calculate-modulo-256-via-x86-assembly.yml} | 2 +-
 lib/get-os-version.yml                                        | 2 +-
 .../runtime-linking/access-peb-ldr_data-via-x86-assembly.yml  | 4 ++--
 .../get-kernel32-base-address-via-x86-assembly.yml            | 2 +-
 .../get-ntdll-base-address-via-x86-assembly.yml               | 2 +-
 load-code/pe/resolve-function-by-parsing-pe-exports.yml       | 0
 nursery/append-data-to-clfs-log-container.yml                 | 0
 nursery/hash-data-using-ripemd128.yml                         | 0
 nursery/hash-data-using-ripemd256.yml                         | 0
 nursery/hash-data-using-ripemd320.yml                         | 0
 24 files changed, 13 insertions(+), 13 deletions(-)
 mode change 100755 => 100644 data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml
 mode change 100755 => 100644 data-manipulation/encryption/rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml
 mode change 100755 => 100644 data-manipulation/encryption/tea/decrypt-data-using-tea.yml
 mode change 100755 => 100644 data-manipulation/encryption/tea/encrypt-data-using-tea.yml
 mode change 100755 => 100644 data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml
 mode change 100755 => 100644 data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml
 mode change 100755 => 100644 host-interaction/log/clfs/read-data-from-clfs-log-container.yml
 rename lib/{calculate-modulo-256-via-x86-assembly-via-x86-assembly.yml => calculate-modulo-256-via-x86-assembly.yml} (88%)
 mode change 100755 => 100644 load-code/pe/resolve-function-by-parsing-pe-exports.yml
 mode change 100755 => 100644 nursery/append-data-to-clfs-log-container.yml
 mode change 100755 => 100644 nursery/hash-data-using-ripemd128.yml
 mode change 100755 => 100644 nursery/hash-data-using-ripemd256.yml
 mode change 100755 => 100644 nursery/hash-data-using-ripemd320.yml

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml
index 32fc1d127..f34ad103f 100644
--- a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml
+++ b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml
@@ -15,5 +15,5 @@ rule:
       - Practical Malware Analysis Lab 16-01.exe_:0x403530
   features:
     - and:
-      - match: PEB access
+      - match: PEB access via x86 assembly
       - offset: 2 = PEB.BeingDebugged
diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag-via-x86-assembly.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag-via-x86-assembly.yml
index b3da03ab4..1186cf2f3 100644
--- a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag-via-x86-assembly.yml
+++ b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag-via-x86-assembly.yml
@@ -18,7 +18,7 @@ rule:
     - and:
       - basic block:
         - and:
-          - match: PEB access
+          - match: PEB access via x86 assembly
           - or:
             - and:
               - arch: i386
diff --git a/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml b/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml
index cf6d86659..3104290ea 100644
--- a/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml
+++ b/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml
@@ -13,4 +13,4 @@ rule:
       - a5c70086b3bc4fe64f4e7a0aa452e620
   features:
     - or:
-      - count(match(contain pusha popa sequence)): 10 or more
+      - count(match(contain pusha popa sequence via x86 assembly)): 10 or more
diff --git a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml
old mode 100755
new mode 100644
diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml
old mode 100755
new mode 100644
diff --git a/data-manipulation/encryption/tea/decrypt-data-using-tea.yml b/data-manipulation/encryption/tea/decrypt-data-using-tea.yml
old mode 100755
new mode 100644
diff --git a/data-manipulation/encryption/tea/encrypt-data-using-tea.yml b/data-manipulation/encryption/tea/encrypt-data-using-tea.yml
old mode 100755
new mode 100644
diff --git a/data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml b/data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml
old mode 100755
new mode 100644
diff --git a/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml b/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml
old mode 100755
new mode 100644
diff --git a/host-interaction/hardware/cpu/get-number-of-processors-via-x86-assembly.yml b/host-interaction/hardware/cpu/get-number-of-processors-via-x86-assembly.yml
index 28ffe8423..0fa4773ea 100644
--- a/host-interaction/hardware/cpu/get-number-of-processors-via-x86-assembly.yml
+++ b/host-interaction/hardware/cpu/get-number-of-processors-via-x86-assembly.yml
@@ -17,7 +17,7 @@ rule:
   features:
     - or:
       - and:
-        - match: PEB access
+        - match: PEB access via x86 assembly
         - or:
           - and:
             - arch: i386
diff --git a/host-interaction/log/clfs/read-data-from-clfs-log-container.yml b/host-interaction/log/clfs/read-data-from-clfs-log-container.yml
old mode 100755
new mode 100644
diff --git a/host-interaction/process/create/create-process-on-linux.yml b/host-interaction/process/create/create-process-on-linux.yml
index 8394567ca..9a3308b5b 100644
--- a/host-interaction/process/create/create-process-on-linux.yml
+++ b/host-interaction/process/create/create-process-on-linux.yml
@@ -20,7 +20,7 @@ rule:
       - or:
         - api: execve
         - and:
-          - match: execute syscall
+          - match: execute syscall via x86 assembly
           - arch: aarch64
           - number: 0xdd = execve
         - api: execl
diff --git a/host-interaction/process/get-process-heap-flags-via-x86-assembly.yml b/host-interaction/process/get-process-heap-flags-via-x86-assembly.yml
index ec09b2f79..6f193f437 100644
--- a/host-interaction/process/get-process-heap-flags-via-x86-assembly.yml
+++ b/host-interaction/process/get-process-heap-flags-via-x86-assembly.yml
@@ -15,7 +15,7 @@ rule:
       - al-khaser_x86.exe_:0x425470
   features:
     - and:
-      - match: PEB access
+      - match: PEB access via x86 assembly
       - or:
         - and:
           - arch: i386
diff --git a/host-interaction/process/get-process-heap-force-flags-via-x86-assembly.yml b/host-interaction/process/get-process-heap-force-flags-via-x86-assembly.yml
index 09257f2f5..1edaa7df2 100644
--- a/host-interaction/process/get-process-heap-force-flags-via-x86-assembly.yml
+++ b/host-interaction/process/get-process-heap-force-flags-via-x86-assembly.yml
@@ -15,7 +15,7 @@ rule:
       - al-khaser_x86.exe_:0x425470
   features:
     - and:
-      - match: PEB access
+      - match: PEB access via x86 assembly
       - or:
         - and:
           - arch: i386
diff --git a/lib/calculate-modulo-256-via-x86-assembly-via-x86-assembly.yml b/lib/calculate-modulo-256-via-x86-assembly.yml
similarity index 88%
rename from lib/calculate-modulo-256-via-x86-assembly-via-x86-assembly.yml
rename to lib/calculate-modulo-256-via-x86-assembly.yml
index 0dfb40877..2b8b56212 100644
--- a/lib/calculate-modulo-256-via-x86-assembly-via-x86-assembly.yml
+++ b/lib/calculate-modulo-256-via-x86-assembly.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: calculate modulo 256 via x86 assembly via x86 assembly
+    name: calculate modulo 256 via x86 assembly
     authors:
       - moritz.raabe@mandiant.com
     lib: true
diff --git a/lib/get-os-version.yml b/lib/get-os-version.yml
index 2cb26218d..97e6b2588 100644
--- a/lib/get-os-version.yml
+++ b/lib/get-os-version.yml
@@ -21,7 +21,7 @@ rule:
       - api: RtlGetNtVersionNumbers
       - api: GetProductInfo
       - and:
-        - match: PEB access
+        - match: PEB access via x86 assembly
         - or:
           - and:
             - arch: i386
diff --git a/linking/runtime-linking/access-peb-ldr_data-via-x86-assembly.yml b/linking/runtime-linking/access-peb-ldr_data-via-x86-assembly.yml
index d18f87259..27e687efd 100644
--- a/linking/runtime-linking/access-peb-ldr_data-via-x86-assembly.yml
+++ b/linking/runtime-linking/access-peb-ldr_data-via-x86-assembly.yml
@@ -20,7 +20,7 @@ rule:
         - arch: i386
         - description: x32
 
-        - match: PEB access
+        - match: PEB access via x86 assembly
 
         # x86 Windows uses fs:0 to access the TIB which contains SEH information at offset 0
         # checking for fs:0 and a (possibly unrelated) number or offset often results in false positives
@@ -37,7 +37,7 @@ rule:
         - arch: amd64
         - description: x64
 
-        - match: PEB access
+        - match: PEB access via x86 assembly
 
         - offset: 0x18 = PEB.LDR_DATA
 
diff --git a/linking/runtime-linking/get-kernel32-base-address-via-x86-assembly.yml b/linking/runtime-linking/get-kernel32-base-address-via-x86-assembly.yml
index 0fe61c045..5430e47a9 100644
--- a/linking/runtime-linking/get-kernel32-base-address-via-x86-assembly.yml
+++ b/linking/runtime-linking/get-kernel32-base-address-via-x86-assembly.yml
@@ -17,7 +17,7 @@ rule:
   features:
     - and:
       # PEB -> PEB.Ldr -> PEB_LDR_DATA.InLoadOrderModuleList.Flink
-      - match: access PEB ldr_data
+      - match: access PEB ldr_data via x86 assembly
       # -> current module -> ntdll
       - count(offset(0)): 2
       # -> kernel32 -> LDR_DATA_TABLE_ENTRY.DllBase
diff --git a/linking/runtime-linking/get-ntdll-base-address-via-x86-assembly.yml b/linking/runtime-linking/get-ntdll-base-address-via-x86-assembly.yml
index 72f01cd30..5658461ef 100644
--- a/linking/runtime-linking/get-ntdll-base-address-via-x86-assembly.yml
+++ b/linking/runtime-linking/get-ntdll-base-address-via-x86-assembly.yml
@@ -17,7 +17,7 @@ rule:
   features:
     - and:
       # PEB -> PEB.Ldr -> PEB_LDR_DATA.InLoadOrderModuleList.Flink
-      - match: access PEB ldr_data
+      - match: access PEB ldr_data via x86 assembly
       # -> current module
       - count(offset(0)): 1
       # -> ntdll -> LDR_DATA_TABLE_ENTRY.DllBase
diff --git a/load-code/pe/resolve-function-by-parsing-pe-exports.yml b/load-code/pe/resolve-function-by-parsing-pe-exports.yml
old mode 100755
new mode 100644
diff --git a/nursery/append-data-to-clfs-log-container.yml b/nursery/append-data-to-clfs-log-container.yml
old mode 100755
new mode 100644
diff --git a/nursery/hash-data-using-ripemd128.yml b/nursery/hash-data-using-ripemd128.yml
old mode 100755
new mode 100644
diff --git a/nursery/hash-data-using-ripemd256.yml b/nursery/hash-data-using-ripemd256.yml
old mode 100755
new mode 100644
diff --git a/nursery/hash-data-using-ripemd320.yml b/nursery/hash-data-using-ripemd320.yml
old mode 100755
new mode 100644