T1124 - System Time Discovery
Description from ATT&CK (opens in a new tab)
An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or
systemsetupon macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)System time information may be gathered in a number of ways, such as with Net (opens in a new tab) on Windows by performing
net time \hostnameto gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by usingw32tm /tz.(Citation: Technet Windows Time Service) In addition, adversaries can discover device uptime through functions such asGetTickCount()to determine how long it has been since the system booted up.(Citation: Virtualization/Sandbox Evasion)On network devices, Network Device CLI (opens in a new tab) commands such as
show clock detailcan be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd) On ESXi servers,esxcli system clock getcan be used for the same purpose.In addition, system calls – such as
time()– have been used to collect the current time on Linux devices.(Citation: MAGNET GOBLIN) On macOS systems, adversaries may use commands such assystemsetup -gettimezoneortimeIntervalSinceNowto gather current time zone information or current date and time.(Citation: System Information Discovery Technique)(Citation: ESET DazzleSpy Jan 2022)This information could be useful for performing other techniques, such as executing a file with a Scheduled Task/Job (opens in a new tab)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. System Location Discovery (opens in a new tab)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)
Atomic Tests
Atomic Test #1 - System Time Discovery
Identify the system time. Upon execution, the local computer system time and timezone will be displayed.
Supported Platforms: Windows
auto_generated_guid: 20aba24b-e61f-4b26-b4ce-4784f763ca20
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| computer_name | computer name to query | string | localhost |
Attack Commands: Run with command_prompt!
net time \\#{computer_name}
w32tm /tzAtomic Test #2 - System Time Discovery - PowerShell
Identify the system time via PowerShell. Upon execution, the system time will be displayed.
Supported Platforms: Windows
auto_generated_guid: 1d5711d6-655c-4a47-ae9c-6503c74fa877
Attack Commands: Run with powershell!
Get-DateAtomic Test #3 - System Time Discovery in FreeBSD/macOS
Identify system time. Upon execution, the local computer system time and timezone will be displayed.
Supported Platforms: Linux, macOS
auto_generated_guid: f449c933-0891-407f-821e-7916a21a1a6f
Attack Commands: Run with sh!
dateAtomic Test #4 - System Time Discovery W32tm as a Delay
identifies DCRat delay time tactics using w32tm. https://research.splunk.com/endpoint/b2cc69e7-11ba-42dc-a269-59c069a48870/ (opens in a new tab) https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains (opens in a new tab)
Supported Platforms: Windows
auto_generated_guid: d5d5a6b0-0f92-42d8-985d-47aafa2dd4db
Attack Commands: Run with command_prompt!
W32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2Atomic Test #5 - System Time with Windows time Command
Displays the current system time via the Windows builtin time command: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/time (opens in a new tab) Recently observed in use in the wild during an incident involving Ursnif malware: https://github.com/The-DFIR-Report/Sigma-Rules/blob/dc72f0b557fc63347379be0a33439788256761c8/rules/windows/process_creation/proc_creation_win_system_time_lookup.yml (opens in a new tab) https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ (opens in a new tab)
Supported Platforms: Windows
auto_generated_guid: 53ead5db-7098-4111-bb3f-563be390e72e
Attack Commands: Run with command_prompt!
timeAtomic Test #6 - Discover System Time Zone via Registry
Identify the Operating System Time Zone via registry with the reg.exe command. Upon execution, the system Time Zone will be shown.
Supported Platforms: Windows
auto_generated_guid: 25c5d1f1-a24b-494a-a6c5-5f50a1ae7f47
Attack Commands: Run with command_prompt!
reg query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" /v TimeZoneKeyName