Thursday, 7 February 2019

Threat Hunting #17 - Suspicious System Time Change

Pay attention to which process & account changes your system's time

System time changes are logged by the security event 4616. Legit system time changes will have:

  • svchost.exe as process name 
  • NT AUTHORITY\LOCAL SERVICE as account name
Anything else is worth a look:


References:

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4616

No comments:

Post a Comment