atomic-red-team/atomics/T1124/T1124.md

# T1124 - System Time Discovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1124)
<blockquote>The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)

An adversary may gather the system time and/or time zone from a local or remote system. This information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>. (Citation: Technet Windows Time Service) The information could be useful for performing other techniques, such as executing a file with a [Scheduled Task](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting.</blockquote>

## Atomic Tests

- [Atomic Test #1 - System Time Discovery](#atomic-test-1---system-time-discovery)

- [Atomic Test #2 - System Time Discovery - PowerShell](#atomic-test-2---system-time-discovery---powershell)


<br/>

## Atomic Test #1 - System Time Discovery
Identify the system time

**Supported Platforms:** Windows


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| computer_name | computer name to query | string | computer1|

#### Run it with `command_prompt`! 
```
net time \\#{computer_name}
w32tm /tz
```



<br/>
<br/>

## Atomic Test #2 - System Time Discovery - PowerShell
Identify the system time via PowerShell

**Supported Platforms:** Windows


#### Run it with `powershell`! 
```
Get-Date
```



<br/>