authenticate HMAC

rule:
  meta:
    name: authenticate HMAC
    namespace: data-manipulation/hmac
    authors:
      - moritz.raabe@mandiant.com
    scopes:
      static: function
      dynamic: unsupported  # requires characteristic features
    mbc:
      - Cryptography::Hashed Message Authentication Code [C0061]
    references:
      - https://tools.ietf.org/html/rfc2104
      - https://tools.ietf.org/html/rfc4634
      - https://github.com/ogay/hmac
    examples:
      - mimikatz.exe_:0x403408
  features:
    - and:
      # block-sized inner padding, consisting of repeated bytes valued 0x36
      - number: 0x36 = inner padding byte value
      # block-sized outer padding, consisting of repeated bytes valued 0x5c
      - number: 0x5C = outer padding byte value
      - match: contain loop
      - count(characteristic(nzxor)): 2 or more
      - optional:
        - description: block size
        - number: 64 = MD5, SHA-1, SHA-224, or SHA-256
        - number: 128 = SHA-384 or SHA-512