Windows system time has been changed on a critical server
This alert is triggered whenever the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
Customer to provide a list of critical servers to be included in this alert.
MITRE ATT&CK Tactics
Command and Control
Windows Information Event Logs
HyperV or other virtualization technologies with binary not listed in filter portion of detection
1. Perform a full AV/AM scan of the affected server.
2. Collect evidence of logs.
3. Perform an investigation in Sentinel for other IOCs near the same time interval originated from this server.