title: Unauthorized System Time Modification
author: '@neu5ron'
date: 2019/02/05
description: Detect scenarios where a potentially unauthorized application or user
  is modifying the system time.
detection:
  SELECTION_1:
    EventID: 4616
  SELECTION_2:
    ProcessName: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
  SELECTION_3:
    ProcessName: C:\Windows\System32\VBoxService.exe
  SELECTION_4:
    ProcessName: C:\Windows\System32\svchost.exe
  SELECTION_5:
    SubjectUserSid: S-1-5-19
  condition: (SELECTION_1 and  not (((SELECTION_2 or SELECTION_3) or (SELECTION_4
    and SELECTION_5))))
falsepositives:
- HyperV or other virtualization technologies with binary not listed in filter portion
  of detection
id: faa031b5-21ed-4e02-8881-2591f98d82ed
level: medium
logsource:
  definition: 'Requirements: Audit Policy : System > Audit Security State Change,
    Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
    Audit Policy Configuration\Audit Policies\System\Audit Security State Change'
  product: windows
  service: security
modified: 2020/01/27
references:
- Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
- Live environment caused by malware
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616
status: experimental
tags:
- attack.defense_evasion
- attack.t1099
- attack.t1070.006
ruletype: SIGMA