Time altering techniques to evade your security controls
In this article I'll be talking about 'Time Travel' and sadly it's not an episode of 'Dr Who' or 'Back to the Future' and not really 'Time Travel' but I needed a catchy title!
So what I am referring to is how hackers often change the system time of a particular system they are exploiting to try to evade EDR detection directly on the host and also to confuse your alerting mechanisms in your SIEM.
So in this short video article I'll be showing you how you can properly setup a rule in Elastic SIEM to detect this evasion technique and be alerted correctly at the time the event actually occurred.