Unauthorized System Time Modification

Detect scenarios where a potentially unauthorized application or user is modifying the system time.

Sigma rule (View on GitHub)

 1title: Unauthorized System Time Modification
 2id: faa031b5-21ed-4e02-8881-2591f98d82ed
 3status: test
 4description: Detect scenarios where a potentially unauthorized application or user is modifying the system time.
 5references:
 6    - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
 7    - Live environment caused by malware
 8    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616
 9author: '@neu5ron'
10date: 2019-02-05
11modified: 2022-08-03
12tags:
13    - attack.defense-evasion
14    - attack.t1070.006
15logsource:
16    product: windows
17    service: security
18    definition: 'Requirements: Audit Policy : System > Audit Security State Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security State Change'
19detection:
20    selection:
21        EventID: 4616
22    filter1:
23        ProcessName:
24            - 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
25            - 'C:\Windows\System32\VBoxService.exe'
26            - 'C:\Windows\System32\oobe\msoobe.exe'
27    filter2:
28        ProcessName: 'C:\Windows\System32\svchost.exe'
29        SubjectUserSid: 'S-1-5-19'
30    condition: selection and not 1 of filter*
31falsepositives:
32    - HyperV or other virtualization technologies with binary not listed in filter portion of detection
33level: low

References

Related rules

to-top