Neo23x0/ms_ts_anomaly.yar

## ms_ts_anomaly.yar

rule Microsoft_PE_Timestamp_Copyright_Anomaly {
   meta:
      description = "Detects a portable executable with an old copyrigth statement but a new compilation timestamp"
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2017-06-02"
      score = 30
   strings:
      $a1 = "Copyright (C) Microsoft Corp. 19" wide
      $b1 = /Copyright \(C\) Microsoft Corp. 200[0-9]\-200[0-9]/ wide
   condition:
      uint16(0) == 0x5a4d and
      (
         // Timestamp newer than 01/01/2010 and copyright of 19..
         ( pe.timestamp > 1262304000 and $a1 and $a1 in (filesize-10000..filesize) ) or
         // Timestamp newer than 01/01/2016 and copyright of 2000 to 2010
         ( pe.timestamp > 1451606400 and $b1 and $b1 in (filesize-10000..filesize) )
      )
}

	rule Microsoft_PE_Timestamp_Copyright_Anomaly {
	meta:
	description = "Detects a portable executable with an old copyrigth statement but a new compilation timestamp"
	author = "Florian Roth"
	reference = "Internal Research"
	date = "2017-06-02"
	score = 30
	strings:
	$a1 = "Copyright (C) Microsoft Corp. 19" wide
	$b1 = /Copyright \(C\) Microsoft Corp. 200[0-9]\-200[0-9]/ wide
	condition:
	uint16(0) == 0x5a4d and
	(
	// Timestamp newer than 01/01/2010 and copyright of 19..
	( pe.timestamp > 1262304000 and $a1 and $a1 in (filesize-10000..filesize) ) or
	// Timestamp newer than 01/01/2016 and copyright of 2000 to 2010
	( pe.timestamp > 1451606400 and $b1 and $b1 in (filesize-10000..filesize) )
	)
	}