https://github.com/mandiant/capa-rules/blame/b9c2bc120e21154fd7e3e1d8b7150f8de92b1a50/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml

Dear Willi,

fantastic rule; thank you for insipiration. What do you think about these changes?

1. Adding a reference. e.g.:

• https://doxygen.reactos.org/df/d13/sysfunc_8c_source.html
• https://blog.gentilkiwi.com/tag/systemfunction036

2. Adding comment to the examples if detected by api or string
3. changing of:

• string: "advapi32.dll" to string: /advapi32/i: .dll is not needed and could be appended by the OS, and the string as argument is used in a case-insensitive way
• deletion of line 21: it is covered by the regex string

It is only an idea and I hope you like it. :)

Kind regards,
Richard