2018-05-25 08:15:00 -04:00
attack_technique : T1124
display_name : System Time Discovery
atomic_tests :
- name : System Time Discovery
2020-05-15 17:19:25 +00:00
auto_generated_guid : 20aba24b-e61f-4b26-b4ce-4784f763ca20
2018-05-25 08:15:00 -04:00
description : |
2020-03-31 17:23:05 -07:00
Identify the system time. Upon execution, the local computer system time and timezone will be displayed.
2018-05-25 08:15:00 -04:00
supported_platforms :
2020-06-17 12:55:46 -06:00
- windows
2018-05-25 08:15:00 -04:00
input_arguments :
2018-05-27 15:42:23 +01:00
computer_name :
2018-05-25 08:15:00 -04:00
description : computer name to query
2023-02-13 17:10:37 -06:00
type : string
2019-12-02 10:54:21 -06:00
default : localhost
2018-05-25 08:15:00 -04:00
executor :
command : |
2018-08-31 07:59:05 -04:00
net time \\#{computer_name}
2018-05-25 08:15:00 -04:00
w32tm /tz
2020-06-17 12:55:46 -06:00
name : command_prompt
2018-05-25 08:15:00 -04:00
- name : System Time Discovery - PowerShell
2020-05-15 17:19:25 +00:00
auto_generated_guid : 1d5711d6-655c-4a47-ae9c-6503c74fa877
2018-05-25 08:15:00 -04:00
description : |
2020-03-31 17:23:05 -07:00
Identify the system time via PowerShell. Upon execution, the system time will be displayed.
2018-05-25 08:15:00 -04:00
supported_platforms :
2020-06-17 12:55:46 -06:00
- windows
2018-05-25 08:15:00 -04:00
executor :
command : |
2018-09-05 11:35:24 -04:00
Get-Date
2020-06-17 12:55:46 -06:00
name : powershell
2023-05-08 11:06:08 -05:00
- name : System Time Discovery in FreeBSD/macOS
2021-11-15 16:55:00 +00:00
auto_generated_guid : f449c933-0891-407f-821e-7916a21a1a6f
2021-10-28 19:24:28 +05:30
description : |
Identify system time. Upon execution, the local computer system time and timezone will be displayed.
supported_platforms :
2023-11-06 17:41:43 -05:00
- linux
2023-02-13 17:10:37 -06:00
- macos
2021-10-28 19:24:28 +05:30
executor :
command : |
date
name : sh
2022-09-06 21:14:04 +02:00
- name : System Time Discovery W32tm as a Delay
auto_generated_guid : d5d5a6b0-0f92-42d8-985d-47aafa2dd4db
description : |
identifies DCRat delay time tactics using w32tm.
https://research.splunk.com/endpoint/b2cc69e7-11ba-42dc-a269-59c069a48870/
https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains
supported_platforms :
- windows
executor :
command : |
W32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
name : command_prompt
2023-02-21 21:05:49 -05:00
- name : System Time with Windows time Command
2023-02-22 02:06:14 +00:00
auto_generated_guid : 53ead5db-7098-4111-bb3f-563be390e72e
2023-02-21 21:05:49 -05:00
description : |
Displays the current system time via the Windows builtin time command: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/time
Recently observed in use in the wild during an incident involving Ursnif malware:
https://github.com/The-DFIR-Report/Sigma-Rules/blob/dc72f0b557fc63347379be0a33439788256761c8/rules/windows/process_creation/proc_creation_win_system_time_lookup.yml
https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
supported_platforms :
- windows
executor :
command : |
time
name : command_prompt
2024-12-19 01:42:42 +01:00
- name : Discover System Time Zone via Registry
2024-12-19 00:43:51 +00:00
auto_generated_guid : 25c5d1f1-a24b-494a-a6c5-5f50a1ae7f47
2024-12-19 01:42:42 +01:00
description : |
Identify the Operating System Time Zone via registry with the reg.exe command.
Upon execution, the system Time Zone will be shown.
supported_platforms :
- windows
executor :
command : |
reg query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" /v TimeZoneKeyName
name : command_prompt
elevation_required : false
