diff --git a/rules/windows/malware/av_exploiting.yml b/rules/application/antivirus/av_exploiting.yml
similarity index 100%
rename from rules/windows/malware/av_exploiting.yml
rename to rules/application/antivirus/av_exploiting.yml
diff --git a/rules/windows/malware/av_hacktool.yml b/rules/application/antivirus/av_hacktool.yml
similarity index 100%
rename from rules/windows/malware/av_hacktool.yml
rename to rules/application/antivirus/av_hacktool.yml
diff --git a/rules/windows/malware/av_password_dumper.yml b/rules/application/antivirus/av_password_dumper.yml
similarity index 100%
rename from rules/windows/malware/av_password_dumper.yml
rename to rules/application/antivirus/av_password_dumper.yml
diff --git a/rules/windows/malware/av_printernightmare_cve_2021_34527.yml b/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml
similarity index 100%
rename from rules/windows/malware/av_printernightmare_cve_2021_34527.yml
rename to rules/application/antivirus/av_printernightmare_cve_2021_34527.yml
diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/application/antivirus/av_relevant_files.yml
similarity index 100%
rename from rules/windows/malware/av_relevant_files.yml
rename to rules/application/antivirus/av_relevant_files.yml
diff --git a/rules/windows/malware/av_webshell.yml b/rules/application/antivirus/av_webshell.yml
similarity index 100%
rename from rules/windows/malware/av_webshell.yml
rename to rules/application/antivirus/av_webshell.yml
diff --git a/rules/windows/edr/edr_command_execution_by_office_applications.yml b/rules/application/edr/windows/edr_command_execution_by_office_applications.yml
similarity index 100%
rename from rules/windows/edr/edr_command_execution_by_office_applications.yml
rename to rules/application/edr/windows/edr_command_execution_by_office_applications.yml
diff --git a/rules/windows/malware/file_event_mal_octopus_scanner.yml b/rules/windows/file_event/file_event_mal_octopus_scanner.yml
similarity index 100%
rename from rules/windows/malware/file_event_mal_octopus_scanner.yml
rename to rules/windows/file_event/file_event_mal_octopus_scanner.yml
diff --git a/rules/windows/malware/process_creation_mal_blue_mockingbird.yml b/rules/windows/process_creation/process_creation_mal_blue_mockingbird.yml
similarity index 100%
rename from rules/windows/malware/process_creation_mal_blue_mockingbird.yml
rename to rules/windows/process_creation/process_creation_mal_blue_mockingbird.yml
diff --git a/rules/windows/malware/process_creation_mal_darkside_ransomware.yml b/rules/windows/process_creation/process_creation_mal_darkside_ransomware.yml
similarity index 100%
rename from rules/windows/malware/process_creation_mal_darkside_ransomware.yml
rename to rules/windows/process_creation/process_creation_mal_darkside_ransomware.yml
diff --git a/rules/windows/malware/process_creation_mal_lockergoga_ransomware.yml b/rules/windows/process_creation/process_creation_mal_lockergoga_ransomware.yml
similarity index 100%
rename from rules/windows/malware/process_creation_mal_lockergoga_ransomware.yml
rename to rules/windows/process_creation/process_creation_mal_lockergoga_ransomware.yml
diff --git a/rules/windows/malware/process_creation_mal_ryuk.yml b/rules/windows/process_creation/process_creation_mal_ryuk.yml
similarity index 100%
rename from rules/windows/malware/process_creation_mal_ryuk.yml
rename to rules/windows/process_creation/process_creation_mal_ryuk.yml
diff --git a/rules/windows/malware/registry_event_mal_azorult.yml b/rules/windows/registry_event/registry_event_mal_azorult.yml
similarity index 100%
rename from rules/windows/malware/registry_event_mal_azorult.yml
rename to rules/windows/registry_event/registry_event_mal_azorult.yml
diff --git a/rules/windows/malware/registry_event_mal_blue_mockingbird.yml b/rules/windows/registry_event/registry_event_mal_blue_mockingbird.yml
similarity index 100%
rename from rules/windows/malware/registry_event_mal_blue_mockingbird.yml
rename to rules/windows/registry_event/registry_event_mal_blue_mockingbird.yml
diff --git a/rules/windows/malware/registry_event_mal_flowcloud.yml b/rules/windows/registry_event/registry_event_mal_flowcloud.yml
similarity index 100%
rename from rules/windows/malware/registry_event_mal_flowcloud.yml
rename to rules/windows/registry_event/registry_event_mal_flowcloud.yml
diff --git a/rules/windows/malware/registry_event_mal_netwire.yml b/rules/windows/registry_event/registry_event_mal_netwire.yml
similarity index 100%
rename from rules/windows/malware/registry_event_mal_netwire.yml
rename to rules/windows/registry_event/registry_event_mal_netwire.yml
diff --git a/rules/windows/malware/registry_event_mal_ursnif.yml b/rules/windows/registry_event/registry_event_mal_ursnif.yml
similarity index 100%
rename from rules/windows/malware/registry_event_mal_ursnif.yml
rename to rules/windows/registry_event/registry_event_mal_ursnif.yml