generate random numbers via RtlGenRandom

rule:
  meta:
    name: generate random numbers via RtlGenRandom
    namespace: data-manipulation/prng
    authors:
      - william.ballenthin@mandiant.com
      - richard.weiss@mandiant.com
    scopes:
      static: function
      dynamic: thread
    mbc:
      - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]
    references:
      - https://doxygen.reactos.org/df/d13/sysfunc_8c_source.html
      - https://blog.gentilkiwi.com/tag/systemfunction036
    examples:
      - b7841b9d5dc1f511a93cc7576672ec0c:0x10002B80 # api
      - 0a0882b8da225406cc838991b5f67d11:0x416F35 # string
  features:
    - or:
      - api: SystemFunction036
      - and:
        - match: link function at runtime on Windows
        - string: "SystemFunction036"
        - optional:
          - string: /advapi32/i
          - string: /cryptsp/i