Update encrypt-data-using-dpapi.yml rule

mandiant / capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs

https://github.com/mandiant/capa/

Apache License 2.0

514 stars 157 forks source link

Update encrypt-data-using-dpapi.yml rule #900

Closed jtothej closed 3 months ago

jtothej commented 3 months ago

Update encrypt-data-using-dpapi.yml rule - add RtlEncryptMemory/SystemFunction040 and RtlDecryptMemory/SystemFunction041. CryptProtectMemory and CryptUnprotectMemory are wrappers for SystemFunction040 and SystemFunction041 respectively.