changes made to or by the local ntp service

Techniques

Sample rules

File Creation Date Changed to Another Year

source: sigma
technicques:
- t1070
- t1070.006

Description

Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.

Detection logic

condition: (( selection1 and not filter1 ) or ( selection2 and not filter2 )) and
  not 1 of gen_filter*
filter1:
  CreationUtcTime|startswith: '2022'
filter2:
  CreationUtcTime|startswith: '202'
gen_filter_tiworker:
  Image|endswith: \TiWorker.exe
  Image|startswith: C:\WINDOWS\
  TargetFilename|endswith: .cab
gen_filter_updates:
- Image:
  - C:\Windows\system32\ProvTool.exe
  - C:\Windows\System32\usocoreworker.exe
  - C:\Windows\ImmersiveControlPanel\SystemSettings.exe
- TargetFilename|startswith: C:\ProgramData\USOPrivate\UpdateStore\
- TargetFilename|endswith:
  - .tmp
  - .temp
selection1:
  PreviousCreationUtcTime|startswith: '2022'
selection2:
  PreviousCreationUtcTime|startswith: '202'