From e4546990828f5425d0e430cc02f70897f16bfb82 Mon Sep 17 00:00:00 2001
From: Moritz <mr-tz@users.noreply.github.com>
Date: Mon, 9 Oct 2023 20:07:38 +0200
Subject: [PATCH] Update generate-random-numbers-via-rtlgenrandom.yml (#828)

---
 .../generate-random-numbers-via-rtlgenrandom.yml     | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml
index 8795b80b4..116b70e1a 100644
--- a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml
+++ b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml
@@ -4,12 +4,16 @@ rule:
     namespace: data-manipulation/prng
     authors:
       - william.ballenthin@mandiant.com
+      - richard.weiss@mandiant.com
     scope: function
     mbc:
       - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]
+    references:
+      - https://doxygen.reactos.org/df/d13/sysfunc_8c_source.html
+      - https://blog.gentilkiwi.com/tag/systemfunction036
     examples:
-      - b7841b9d5dc1f511a93cc7576672ec0c:0x10002B80
-      - 0a0882b8da225406cc838991b5f67d11:0x416F35
+      - b7841b9d5dc1f511a93cc7576672ec0c:0x10002B80 # api
+      - 0a0882b8da225406cc838991b5f67d11:0x416F35 # string
   features:
     - or:
       - api: SystemFunction036
@@ -17,6 +21,6 @@ rule:
         - match: link function at runtime on Windows
         - string: "SystemFunction036"
         - optional:
-          - string: "advapi32.dll"
-          - string: "Advapi32.dll"
+          - string: /advapi32/i
+          - string: /cryptsp/i
           - characteristic: indirect call