rules: add nursery rule for shellcode execution via ReadDirectoryChanges

[akshat4703]

Summary

This PR adds a new nursery rule detecting potential shellcode execution triggered through the Windows ReadDirectoryChanges API callback flow.

The idea comes from the rule-idea issues and currently has no related PRs (GitHub search for "ReadDirectoryChanges" shellcode execution returned none).

Detection logic

The rule looks for patterns where malware may use directory change notifications as a trigger for executing shellcode.

Typical flow includes:

• ReadDirectoryChangesW or ReadDirectoryChangesExW
• RWX memory allocation or permission change
• alertable wait APIs such as:
  • SleepEx
  • WaitForSingleObjectEx
  • WaitForMultipleObjectsEx

These APIs together can indicate a callback-driven execution path where shellcode is triggered by filesystem events.

Rule location

rules/nursery/execute-shellcode-via-readdirectorychanges.yml

Validation

Formatting and lint checks pass:
HOME=/tmp .venv/bin/python scripts/capafmt.py -c rules/nursery/execute-shellcode-via-readdirectorychanges.yml
HOME=/tmp .venv/bin/python scripts/lint.py -t “execute shellcode via ReadDirectoryChanges” rules

Both commands completed successfully.

Notes

This rule is added to nursery because it may benefit from additional testing and refinement before promotion to the main ruleset.

[akshat4703]

@mike-hunhoff Updated per the rule docs on A/W handling: I replaced explicit A/W variants with base API names (ReadDirectoryChanges, ReadDirectoryChangesEx, and CreateFile) so the rule matches both variants correctly.
Also, the issue-link reference has been removed from the rule metadata.