diff --git a/data-manipulation/compression/create-cabinet-on-windows.yml b/data-manipulation/compression/create-cabinet-on-windows.yml
new file mode 100644
index 000000000..7b259c6f1
--- /dev/null
+++ b/data-manipulation/compression/create-cabinet-on-windows.yml
@@ -0,0 +1,24 @@
+rule:
+  meta:
+    name: create Cabinet on Windows
+    namespace: data-manipulation/compression
+    authors:
+      - michael.hunhoff@mandiant.com
+      - jakub.jozwiak@mandiant.com
+    scope: function
+    att&ck:
+      - Collection::Archive Collected Data::Archive via Library [T1560.002]
+    mbc:
+      - Data::Compress Data [C0024]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/devnotes/creating-a-cabinet
+    examples:
+      - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0
+  features:
+    - and:
+      - match: create File Compression Interface context on Windows
+      - or:
+        - api: cabinet.FCIAddFile = add file to Cabinet
+        - api: cabinet.FCIFlushFolder = flush current folder under construction
+        - api: cabinet.FCIFlushCabinet = complete current cabinet
+        - api: cabinet.FCIDestroy = delete an open FCI context
diff --git a/data-manipulation/compression/extract-cabinet-on-windows.yml b/data-manipulation/compression/extract-cabinet-on-windows.yml
new file mode 100644
index 000000000..b371b1a65
--- /dev/null
+++ b/data-manipulation/compression/extract-cabinet-on-windows.yml
@@ -0,0 +1,21 @@
+rule:
+  meta:
+    name: extract Cabinet on Windows
+    namespace: data-manipulation/compression
+    authors:
+      - jakub.jozwiak@mandiant.com
+    scope: function
+    att&ck:
+      - Defense Evasion::Deobfuscate/Decode Files or Information [T1140]
+    mbc:
+      - Data::Decompress Data [C0025]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/devnotes/extracting-files-from-a-cabinet
+    examples:
+      - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0
+  features:
+    - and:
+      - match: create File Decompression Interface context on Windows
+      - or:
+        - api: cabinet.FDICopy
+        - api: cabinet.FDIDestroy
diff --git a/nursery/open-cabinet-file.yml b/lib/create-file-compression-interface-context-on-windows.yml
similarity index 56%
rename from nursery/open-cabinet-file.yml
rename to lib/create-file-compression-interface-context-on-windows.yml
index 2ee425ee4..3afa6b24a 100644
--- a/nursery/open-cabinet-file.yml
+++ b/lib/create-file-compression-interface-context-on-windows.yml
@@ -1,12 +1,14 @@
 rule:
   meta:
-    name: open cabinet file
-    namespace: host-interaction/file-system
+    name: create File Compression Interface context on Windows
     authors:
       - michael.hunhoff@mandiant.com
+    lib: true
     scope: function
     references:
       - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files
+    examples:
+      - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0
   features:
     - or:
       - api: cabinet.FCICreate
diff --git a/lib/create-file-decompression-interface-context-on-windows.yml b/lib/create-file-decompression-interface-context-on-windows.yml
new file mode 100644
index 000000000..b9a2bd5f3
--- /dev/null
+++ b/lib/create-file-decompression-interface-context-on-windows.yml
@@ -0,0 +1,14 @@
+rule:
+  meta:
+    name: create File Decompression Interface context on Windows
+    authors:
+      - jakub.jozwiak@mandiant.com
+    lib: true
+    scope: function
+    references:
+      - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files
+    examples:
+      - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0
+  features:
+    - or:
+      - api: cabinet.FDICreate
diff --git a/nursery/add-file-to-cabinet-file.yml b/nursery/add-file-to-cabinet-file.yml
deleted file mode 100644
index 5988a5180..000000000
--- a/nursery/add-file-to-cabinet-file.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-rule:
-  meta:
-    name: add file to cabinet file
-    namespace: host-interaction/file-system
-    authors:
-      - michael.hunhoff@mandiant.com
-    scope: function
-    references:
-      - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files
-  features:
-    - or:
-      - api: cabinet.FCIAddFile
diff --git a/nursery/flush-cabinet-file.yml b/nursery/flush-cabinet-file.yml
deleted file mode 100644
index b75ec4f63..000000000
--- a/nursery/flush-cabinet-file.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-rule:
-  meta:
-    name: flush cabinet file
-    namespace: host-interaction/file-system
-    authors:
-      - michael.hunhoff@mandiant.com
-    scope: function
-    references:
-      - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files
-  features:
-    - or:
-      - api: cabinet.FCIFlushFolder = flush current folder under construction
-      - api: cabinet.FCIFlushCabinet = completes current cabinet