Managed Sentinel – Alert 126

Alert IDMS-A126
Alert NameWindows system time has been changed on a critical server
DescriptionThis alert is triggered whenever the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
Customer to provide a list of critical servers to be included in this alert.
Severity LevelInformational
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsExecution
Privilege Escalation
Lateral Movement
Command and Control
Log sourcesWindows Information Event Logs
False Positives HyperV or other virtualization technologies with binary not listed in filter portion of detection
Recommendations1. Perform a full AV/AM scan of the affected server.
2. Collect evidence of logs.
3. Perform an investigation in Sentinel for other IOCs near the same time interval originated from this server.