From 18f8a33a4e5a1ff6484fae5858a12c0a6e04c040 Mon Sep 17 00:00:00 2001
From: Richard <9610284+richardweiss80@users.noreply.github.com>
Date: Tue, 10 Oct 2023 11:55:01 +0200
Subject: [PATCH] encrypt data using RC4 via SystemFunction032 (#825)

* RC4 encryption via Advapi32.SystemFunction032
---
 ...t-data-using-rc4-via-systemfunction032.yml | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 nursery/encrypt-data-using-rc4-via-systemfunction032.yml

diff --git a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml
new file mode 100644
index 00000000..ffa79dd0
--- /dev/null
+++ b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml
@@ -0,0 +1,26 @@
+rule:
+  meta:
+    name: encrypt data using RC4 via SystemFunction032
+    namespace: data-manipulation/encryption/rc4
+    authors:
+      - richard.weiss@mandiant.com
+    scope: function
+    att&ck:
+      - Defense Evasion::Obfuscated Files or Information [T1027]
+    mbc:
+      - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05]
+      - Cryptography::Encrypt Data::RC4 [C0027.009]
+    references:
+      - https://doxygen.reactos.org/df/d13/sysfunc_8c_source.html
+      - https://blog.gentilkiwi.com/tag/systemfunction032
+    examples:
+      - 3BBDF04C25FCD9876733EAA9163B3ED64D81396E7414619758D9376EDF4C103E:0x1000976C # api match
+  features:
+    - or:
+      - api: SystemFunction032
+      - and:
+        - match: link function at runtime on Windows
+        - string: "SystemFunction032"
+        - optional:
+          - string: /advapi32/i
+          - string: /cryptsp/i