LoFP LoFP / hyperv or other virtualization technologies with binary not listed in filter portion of detection

Techniques

Sample rules

Unauthorized System Time Modification

Description

Detect scenarios where a potentially unauthorized application or user is modifying the system time.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_svchost:
  ProcessName: C:\Windows\System32\svchost.exe
  SubjectUserSid: S-1-5-19
filter_optional_vmtools:
  ProcessName:
  - C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
  - C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe
  - C:\Windows\System32\VBoxService.exe
  - C:\Windows\System32\oobe\msoobe.exe
selection:
  EventID: 4616