The system time was changed
The system time was changed manually or via NTP synchronization.
Event ID 4616 records modifications to system clock time. It captures the Previous Time, New Time, and the Subject Account (`SubjectUserName` / `ProcessName`) that performed the adjustment. Attackers frequently alter system clocks ('timestomping' or clock manipulation) to disrupt Kerberos token expiration or desynchronize SIEM audit trails.
Failure Reason / Root Cause:
Normal NTP time synchronization (`w32time`), CMOS battery failure, or malicious clock tampering to confuse forensic timeline analysis.
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4616</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-07-17T09:54:44.859Z" />
<EventRecordID>1048576</EventRecordID>
<Correlation />
<Execution ProcessID="612" ThreadID="1024" />
<Channel>Security</Channel>
<Computer>DC01.enterprise.internal</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<!-- Event telemetry fields specific to The system time was changed -->
</EventData>
</Event>MITRE ATT&CK mapping
| ID | Technique | Tactic |
|---|---|---|
T1070.006 | Indicator Removal: Timestomping | Defense Evasion |
Recommended actions
- Verify whether the `ProcessName` corresponds to `C:\Windows\System32\svchost.exe` (`w32time` service).
- Alert if system time is shifted by more than 5 minutes by non-system identities.