From 74fc8903ff876d42ca9fd20339aa28e3f8ff4d3e Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Wed, 3 Aug 2022 13:18:32 +0000
Subject: [PATCH] Reducing to a low level, as this is not a single indicator of
 compromise.  Users and scripts from time sensitive applications such as
 mfa/oauth will execute net time \\host /set /y

---
 rules/windows/builtin/security/win_susp_time_modification.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/builtin/security/win_susp_time_modification.yml b/rules/windows/builtin/security/win_susp_time_modification.yml
index ca2ce0525..cfb8b9f32 100644
--- a/rules/windows/builtin/security/win_susp_time_modification.yml
+++ b/rules/windows/builtin/security/win_susp_time_modification.yml
@@ -8,7 +8,7 @@ references:
   - Live environment caused by malware
   - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616
 date: 2019/02/05
-modified: 2022/04/06
+modified: 2022/08/03
 logsource:
   product: windows
   service: security
@@ -27,7 +27,7 @@ detection:
   condition: selection and not 1 of filter*
 falsepositives:
   - HyperV or other virtualization technologies with binary not listed in filter portion of detection
-level: medium
+level: low
 tags:
   - attack.defense_evasion
   - attack.t1070.006