LoFP / hyperv or other virtualization technologies with binary not listed in filter portion of detection

Techniques

Sample rules

Unauthorized System Time Modification

source: sigma
technicques:
- t1070
- t1070.006

Description

Detect scenarios where a potentially unauthorized application or user is modifying the system time.

Detection logic

condition: selection and not 1 of filter*
filter1:
  ProcessName:
  - C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
  - C:\Windows\System32\VBoxService.exe
  - C:\Windows\System32\oobe\msoobe.exe
filter2:
  ProcessName: C:\Windows\System32\svchost.exe
  SubjectUserSid: S-1-5-19
selection:
  EventID: 4616