Managed Sentinel – Alert 126
|Alert Name||Windows system time has been changed on a critical server|
|Description||This alert is triggered whenever the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.|
Customer to provide a list of critical servers to be included in this alert.
|Threat Indicator||Unauthorized Access|
|MITRE ATT&CK Tactics||Execution|
Command and Control
|Log sources||Windows Information Event Logs|
|False Positives||HyperV or other virtualization technologies with binary not listed in filter portion of detection|
|Recommendations||1. Perform a full AV/AM scan of the affected server. |
2. Collect evidence of logs.
3. Perform an investigation in Sentinel for other IOCs near the same time interval originated from this server.