T1497.003
Time Based Evasion
Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. This may include enumerating time-based properties, such as uptime or the system clock.
Adversaries may use calls like GetTickCount and GetSystemTimeAsFileTime to discover if they are operating within a virtual machine or sandbox, or may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)
Atomic Tests
Atomic Test #1 - Delay execution with ping
Uses the ping command to introduce a delay before executing a malicious payload.
Supported Platforms: Linux, macOS
auto_generated_guid: 8b87dd03-8204-478c-bac3-3959f6528de3
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| evil_command | Command to run after the delay | string | whoami |
| ping_count | Number of ping requests to send (higher counts increase the delay) | integer | 250 |
Attack Commands: Run with sh!
ping -c #{ping_count} 8.8.8.8 > /dev/null
#{evil_command}