This note documents detection patterns related to System Time Changes within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4616 | System time changed | Critical | Primary indicator of manual or programmatic time manipulation |
| System | 1 | Time changed (Kernel-General) | High | Captures system-level time adjustments |
| System | 35 | Time service sync | Medium | Indicates time synchronization attempt |
| System | 37 | Time difference detected | High | Large drift may indicate tampering |
| System | 50 | Time jump correction | High | Significant correction applied |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Time moved backwards | System time decreases | Critical | Strong anti-forensics signal |
| Time change before log clear | 4616 → 1102 sequence | Critical | Attempt to break timeline |
| Time change before execution | Precedes suspicious process | High | Timeline manipulation |
| Frequent time adjustments | Multiple 4616 events | High | Possible script/tool usage |
| Time drift from NTP baseline | Large offset | Medium | Could indicate tampering or misconfig |
| Time change under non-admin | Unexpected user context | Critical | Privilege misuse |
Common Tools
| Tool | Usage |
|---|---|
| PowerShell | Set-Date |
| w32tm | Time sync / manual offset |
| date / time (cmd) | Manual change |
| custom malware | Timestamp evasion |
| domain time manipulation | NTP abuse |
Relevant Artifacts
- Security Event ID 4616
- System Event IDs 1, 35, 37, 50
- Sysmon Event ID 1 (process responsible)
- Prefetch for:
- powershell.exe
- cmd.exe
- w32tm.exe
- Registry:
- SYSTEM\CurrentControlSet\Services\W32Time
- Windows Time Service logs
- MFT timestamps (compare anomalies)
- Event log timeline inconsistencies
MITRE ATT&CK References
- T1070 Indicator Removal on Host
- T1070.006 Timestomp
- T1562 Impair Defenses
Decision Tree
-
Was time changed?
- Security 4616
- System 1
-
Direction of change?
- Forward (sync)
- Backward (suspicious)
-
Who performed it?
- SYSTEM
- Administrator
- Unexpected user
-
What process caused it?
- PowerShell
- cmd
- w32tm
- Unknown binary
-
Timing suspicious?
- Before log clear
- Before execution
- After intrusion
-
Correlate:
- Log gaps
- MFT inconsistencies
- Event ordering anomalies
-
Scope:
- Single event
- Repeated manipulation
- Domain-wide impact
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4616
| project TimeGenerated, Computer, SubjectUserName, PreviousTime, NewTime
Sysmon
| where EventID == 1
| where CommandLine has_any ("Set-Date","w32tm","date ","time ")
| project TimeGenerated, Computer, User, CommandLine
EQL
process where event.code == "1" and process.command_line like "*Set-Date*"
any where event.code == "4616"
Sigma
title: System Time Change Detection
id: 91acb2f1-time-change
status: experimental
description: Detects system time modifications which may indicate anti-forensic behavior
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-04-05
logsource:
product: windows
service: security
detection:
selection:
EventID: 4616
condition: selection
fields:
- SubjectUserName
- PreviousTime
- NewTime
falsepositives:
- Legitimate admin activity
- NTP sync
level: high
tags:
- attack.defense_evasion
- attack.t1070
- attack.t1070.006
Snort
alert udp any any -> any 123 (msg:"NTP Large Time Offset Detected"; content:"|1b|"; depth:1; detection_filter:track by_src, count 5, seconds 60; sid:900001; rev:1;)
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Audit policy | Enable time change auditing | Critical | Required for visibility |
| Sysmon process logging | Track responsible processes | Critical | Attribution |
| NTP enforcement | Domain-controlled time sync | High | Prevent drift |
| Least privilege | Restrict time change rights | High | Reduce abuse |
| SIEM correlation | Detect timeline anomalies | Critical | Core detection layer |
| Alerting | Trigger on backward time change | High | Strong signal |