Update encrypt-data-using-dpapi.yml rule (#900)

* Update encrypt-data-using-dpapi.yml rule
mandiant · May 21, 2024 · 7f8216f · 7f8216f
1 parent 7128cdb
commit 7f8216f
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml b/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml
@@ -22,3 +22,14 @@ rule:
       - api: crypt32.CryptUnprotectData
       - api: System.Security.Cryptography.ProtectedData::Unprotect
       - api: System.Security.Cryptography.ProtectedData::Protect
+      - api: SystemFunction040
+      - api: SystemFunction041
+      - and:
+        - match: link function at runtime on Windows
+        - or:
+          # RtlEncryptMemory is available as SystemFunction040 export in Advapi32.dll
+          # CryptProtectMemory is a wrapper function for SystemFunction040
+          - string: "SystemFunction040"
+          # RtlDecryptMemory is available as SystemFunction041 export in Advapi32.dll
+          # CryptUnprotectMemory is a wrapper function for SystemFunction041
+          - string: "SystemFunction041"