add new rule

rules/windows/builtin/win_susp_time_modification.yml

@@ -0,0 +1,28 @@
+title: Unauthorized System Time Modification
+status: experimental
+description: Detect scenarios where a potentially unauthorized application or user is modifying the system time.
+author: '@neu5ron'
+references:
+    - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
+    - Live environment caused by malware
+date: 2019/02/05
+tags:
+    - attack.t1099
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : System > Audit Security State Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security State Change'
+detection:
+    selection:
+        EventID: 4616
+    filter1:
+        ProcessName: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
+    filter2:
+      ProcessName: 'C:\Windows\System32\VBoxService.exe'
+    filter3:
+      ProcessName: 'C:\Windows\System32\svchost.exe'
+      SubjectUserSid: 'S-1-5-19'
+    condition: selection and not ( filter1 or filter2 or filter3 )
+falsepositives:
+    - HyperV or other virtualization technologies with binary not listed in filter portion of detection
+level: high