Detectionlowtest
Unauthorized System Time Modification
Detect scenarios where a potentially unauthorized application or user is modifying the system time.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Definition
Requirements: Audit Policy : System > Audit Security State Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security State Change
Detection Logic
Detection Logic3 selectors
detection:
selection:
EventID: 4616
filter_main_svchost:
ProcessName: 'C:\Windows\System32\svchost.exe'
SubjectUserSid: 'S-1-5-19'
filter_optional_vmtools:
ProcessName:
- 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
- 'C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe'
- 'C:\Windows\System32\VBoxService.exe'
- 'C:\Windows\System32\oobe\msoobe.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
HyperV or other virtualization technologies with binary not listed in filter portion of detection
References
1
Resolving title…
Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)2
3Resolving title…
Live environment caused by malwareResolving title…
learn.microsoft.comMITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
faa031b5-21ed-4e02-8881-2591f98d82ed
Status
test
Level
low
Type
Detection
Created
Tue Feb 05
Modified
Wed Dec 03
Author
Path
rules/windows/builtin/security/win_security_susp_time_modification.yml
Raw Tags
attack.defense-evasionattack.t1070.006