diff --git a/host-interaction/file-system/write/write-file-on-linux.yml b/host-interaction/file-system/write/write-file-on-linux.yml
index 0be290eb..a38f6585 100644
--- a/host-interaction/file-system/write/write-file-on-linux.yml
+++ b/host-interaction/file-system/write/write-file-on-linux.yml
@@ -4,6 +4,7 @@ rule:
     namespace: host-interaction/file-system/write
     authors:
       - joakim@intezer.com
+      - mehunhoff@google.com
     scopes:
       static: function
       dynamic: thread
@@ -27,5 +28,9 @@ rule:
         - api: write
         - api: fwrite
         - api: putwchar
+        - api: dprintf
+        - api: vdprintf
+        - api: fprintf
+        - api: vfprintf
       - optional:
         - match: create or open file
diff --git a/host-interaction/process/create/create-process-on-linux.yml b/host-interaction/process/create/create-process-on-linux.yml
index c7b6d5d8..8394567c 100644
--- a/host-interaction/process/create/create-process-on-linux.yml
+++ b/host-interaction/process/create/create-process-on-linux.yml
@@ -19,6 +19,10 @@ rule:
         - os: android
       - or:
         - api: execve
+        - and:
+          - match: execute syscall
+          - arch: aarch64
+          - number: 0xdd = execve
         - api: execl
         - api: execlp
         - api: execle
diff --git a/nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml b/nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml
new file mode 100644
index 00000000..baaad79a
--- /dev/null
+++ b/nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml
@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: bypass hidden API restrictions via JNI on Android
+    namespace: host-interaction/bypass
+    authors:
+      - mehunhoff@google.com
+    description: Starting in Android 9 (API level 28), the platform restricts which non-SDK interfaces your app can use
+    scopes:
+      static: function
+      dynamic: thread
+    references:
+      - https://stackoverflow.com/questions/55970137/bypass-androids-hidden-api-restrictions
+  features:
+    - and:
+      - os: android
+      - string: "dalvik/system/VMRuntime"
+      - string: "getRuntime"
+      - string: "setHiddenApiExemptions"
+      - string: "java/lang/String"
diff --git a/nursery/execute-syscall-instruction.yml b/nursery/execute-syscall.yml
similarity index 50%
rename from nursery/execute-syscall-instruction.yml
rename to nursery/execute-syscall.yml
index fa284e5d..ec9e46ae 100644
--- a/nursery/execute-syscall-instruction.yml
+++ b/nursery/execute-syscall.yml
@@ -1,10 +1,11 @@
 rule:
   meta:
-    name: execute syscall instruction
+    name: execute syscall
     namespace: anti-analysis
     authors:
       - "@kulinacs"
       - "@mr-tz"
+      - mehunhoff@google.com
     description: may be used to evade hooks or hinder analysis
     scopes:
       static: basic block
@@ -12,8 +13,14 @@ rule:
     references:
       - https://github.com/j00ru/windows-syscalls
   features:
-    - and:
-      - mnemonic: syscall
-      - or:
-        - mnemonic: ret
-        - mnemonic: retn
+    - or:
+      - and:
+        - or:
+          - os: linux
+          - os: android
+        - api: syscall # https://man7.org/linux/man-pages/man2/syscall.2.html
+      - and:
+        - mnemonic: syscall
+        - or:
+          - mnemonic: ret
+          - mnemonic: retn
diff --git a/nursery/get-current-process-filesystem-mounts-on-linux.yml b/nursery/get-current-process-filesystem-mounts-on-linux.yml
new file mode 100644
index 00000000..0906cd13
--- /dev/null
+++ b/nursery/get-current-process-filesystem-mounts-on-linux.yml
@@ -0,0 +1,16 @@
+rule:
+  meta:
+    name: get current process filesystem mounts on Linux
+    namespace: host-interation/process
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: basic block
+      dynamic: call
+  features:
+    - and:
+      - or:
+        - os: linux
+        - os: android
+      - match: create or open file
+      - string: "/proc/self/mounts"
diff --git a/nursery/get-current-process-memory-mapping-on-linux.yml b/nursery/get-current-process-memory-mapping-on-linux.yml
new file mode 100644
index 00000000..051bcba0
--- /dev/null
+++ b/nursery/get-current-process-memory-mapping-on-linux.yml
@@ -0,0 +1,16 @@
+rule:
+  meta:
+    name: get current process memory mapping on Linux
+    namespace: host-interation/process
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: basic block
+      dynamic: call
+  features:
+    - and:
+      - or:
+        - os: linux
+        - os: android
+      - match: create or open file
+      - string: "/proc/self/maps"
diff --git a/nursery/get-system-property-on-android.yml b/nursery/get-system-property-on-android.yml
new file mode 100644
index 00000000..46243be6
--- /dev/null
+++ b/nursery/get-system-property-on-android.yml
@@ -0,0 +1,13 @@
+rule:
+  meta:
+    name: get system property on Android
+    namespace: host-interation/process
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: basic block
+      dynamic: call
+  features:
+    - and:
+      - os: android
+      - api: __system_property_get
diff --git a/nursery/hook-routines-via-lsplant.yml b/nursery/hook-routines-via-lsplant.yml
new file mode 100644
index 00000000..8d20b485
--- /dev/null
+++ b/nursery/hook-routines-via-lsplant.yml
@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: hook routines via LSPlant
+    namespace: linking/hooking
+    authors:
+      - mehunhoff@google.com
+    description: LSPlant is an Android ART hook library, providing Java method hook/unhook and inline deoptimization
+    scopes:
+      static: basic block
+      dynamic: thread
+    references:
+      - https://github.com/LSPosed/LSPlant
+  features:
+    - and:
+      - string: "LSPHooker_"
+      - string: "hooker"
+      - string: "{target}"
diff --git a/nursery/load-packed-dex-via-jiagu-on-android.yml b/nursery/load-packed-dex-via-jiagu-on-android.yml
new file mode 100644
index 00000000..bd1b153d
--- /dev/null
+++ b/nursery/load-packed-dex-via-jiagu-on-android.yml
@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: load packed DEX via Jiagu on Android
+    namespace: anti-analysis
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: function
+      dynamic: thread
+    references:
+      - https://github.com/Frezrik/Jiagu
+  features:
+    - and:
+      - os: android
+      - string: "NDK_JIAGU"
+      - string: "[-]get %s handle failed:%s"
+      - string: "[-]ANONYMOUS mmap failed:%s"
+      - string: "[-]g_sdk_int Update cookie failed"
+      - string: "dalvik/system/InMemoryDexClassLoader"
diff --git a/nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml b/nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml
new file mode 100644
index 00000000..58f91138
--- /dev/null
+++ b/nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml
@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: modify API blacklist or denylist via JNI on Android
+    namespace: host-interaction/bypass
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: function
+      dynamic: thread
+  features:
+    - and:
+      - os: android
+      - string: "com/android/internal/os/ZygoteInit"
+      - or:
+        - string: "setApiBlacklistExemptions"
+        - string: "setApiDenylistExemptions"
+      - string: "java/lang/String"
diff --git a/nursery/truncate-file-on-linux.yml b/nursery/truncate-file-on-linux.yml
new file mode 100644
index 00000000..e38436f6
--- /dev/null
+++ b/nursery/truncate-file-on-linux.yml
@@ -0,0 +1,15 @@
+rule:
+  meta:
+    name: truncate file on Linux
+    namespace: host-interaction/file-system/truncate
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: basic block
+      dynamic: call
+  features:
+    - and:
+      - or:
+        - os: android
+        - os: linux
+      - api: ftruncate