Managed Sentinel – Alert 126
| Alert ID | MS-A126 |
| Alert Name | Windows system time has been changed on a critical server |
| Description | This alert is triggered whenever the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. Customer to provide a list of critical servers to be included in this alert. |
| Severity Level | Informational |
| Threat Indicator | Unauthorized Access |
| MITRE ATT&CK Tactics | Execution Privilege Escalation Lateral Movement Command and Control |
| Log sources | Windows Information Event Logs |
| False Positives | HyperV or other virtualization technologies with binary not listed in filter portion of detection |
| Recommendations | 1. Perform a full AV/AM scan of the affected server. 2. Collect evidence of logs. 3. Perform an investigation in Sentinel for other IOCs near the same time interval originated from this server. |