encrypt-data-using-rc6.yml

rule:
  meta:
    name: encrypt data using RC6
    namespace: data-manipulation/encryption/rc6
    authors:
      - william.ballenthin@mandiant.com
    scopes:
      static: function
      dynamic: span of calls
    att&ck:
      - Defense Evasion::Obfuscated Files or Information [T1027]
    mbc:
      - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05]
      - Cryptography::Encrypt Data::RC6 [C0027.010]
    references:
      - https://github.com/stamparm/cryptospecs/blob/master/symmetrical/sources/rc6.c#L66
    examples:
      - D87BA0BFCE1CDB17FD243B8B1D247E88:0x402390
  features:
    - and:
      - or:
        - description: P, used by both RC5 and RC6 (more common)
        - number: 0xB7E15163 = P (32-bit)
        - number: 0xB7E151628AED2A6B = P (64-bit)
      - or:
        - description: Q, used by both RC5 and RC6 (more common)
        - or:
          - number: 0x9e3779b9 = Q (32-bit), encrypt via add an unsigned
          - number: 0x61C88647 = Q (32-bit), encrypt via subtract an unsigned
        - number: 0x9E3779B97F4A7C15 = Q (64-bit)