21 строка
1.0 KiB
YAML
21 строка
1.0 KiB
YAML
id: 9fd6f61d-2cc3-48de-acf5-7194e78d6ea1
|
|
name: Windows System Time changed on hosts
|
|
description: |
|
|
'Identifies when the system time was changed on a Windows host which can indicate potential timestomping activities.
|
|
Reference: Event ID 4616 is only available when the full event collection is enabled - https://docs.microsoft.com/azure/sentinel/connect-windows-security-events'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- DefenseEvasion
|
|
relevantTechniques:
|
|
- T1070
|
|
query: |
|
|
|
|
SecurityEvent
|
|
| where EventID == 4616
|
|
| where not(ProcessName has_any (":\\Windows\\System32\\svchost.exe", ":\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe"))
|
|
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Computer, EventID, Activity, Account, AccountType, NewTime, PreviousTime, ProcessName, ProcessId, SubjectAccount, SubjectUserSid, SourceComputerId, _ResourceId
|
|
| extend timestamp = StartTime, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount
|