security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
pre-commit
atomic-red-team/atomics/T1124/T1124.md
T
Atomic Red Team doc generator 762f0548a1 Generated docs from job=generate-docs branch=master [ci skip]
2025-05-01 15:13:41 +00:00

212 lines
6.0 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# T1124 - System Time Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1124)
<blockquote>
An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or <code>systemsetup</code> on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)
System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.(Citation: Technet Windows Time Service) In addition, adversaries can discover device uptime through functions such as <code>GetTickCount()</code> to determine how long it has been since the system booted up.(Citation: Virtualization/Sandbox Evasion)
On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd) On ESXi servers, `esxcli system clock get` can be used for the same purpose.
In addition, system calls such as <code>time()</code> have been used to collect the current time on Linux devices.(Citation: MAGNET GOBLIN) On macOS systems, adversaries may use commands such as <code>systemsetup -gettimezone</code> or <code>timeIntervalSinceNow</code> to gather current time zone information or current date and time.(Citation: System Information Discovery Technique)(Citation: ESET DazzleSpy Jan 2022)
This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)
</blockquote>
## Atomic Tests
- [Atomic Test #1 - System Time Discovery](#atomic-test-1---system-time-discovery)
- [Atomic Test #2 - System Time Discovery - PowerShell](#atomic-test-2---system-time-discovery---powershell)
- [Atomic Test #3 - System Time Discovery in FreeBSD/macOS](#atomic-test-3---system-time-discovery-in-freebsdmacos)
- [Atomic Test #4 - System Time Discovery W32tm as a Delay](#atomic-test-4---system-time-discovery-w32tm-as-a-delay)
- [Atomic Test #5 - System Time with Windows time Command](#atomic-test-5---system-time-with-windows-time-command)
- [Atomic Test #6 - Discover System Time Zone via Registry](#atomic-test-6---discover-system-time-zone-via-registry)
<br/>
## Atomic Test #1 - System Time Discovery
Identify the system time. Upon execution, the local computer system time and timezone will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 20aba24b-e61f-4b26-b4ce-4784f763ca20
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| computer_name | computer name to query | string | localhost|
#### Attack Commands: Run with `command_prompt`!
```cmd
net time \\#{computer_name}
w32tm /tz
```
<br/>
<br/>
## Atomic Test #2 - System Time Discovery - PowerShell
Identify the system time via PowerShell. Upon execution, the system time will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 1d5711d6-655c-4a47-ae9c-6503c74fa877
#### Attack Commands: Run with `powershell`!
```powershell
Get-Date
```
<br/>
<br/>
## Atomic Test #3 - System Time Discovery in FreeBSD/macOS
Identify system time. Upon execution, the local computer system time and timezone will be displayed.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** f449c933-0891-407f-821e-7916a21a1a6f
#### Attack Commands: Run with `sh`!
```sh
date
```
<br/>
<br/>
## Atomic Test #4 - System Time Discovery W32tm as a Delay
identifies DCRat delay time tactics using w32tm.
https://research.splunk.com/endpoint/b2cc69e7-11ba-42dc-a269-59c069a48870/
https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains
**Supported Platforms:** Windows
**auto_generated_guid:** d5d5a6b0-0f92-42d8-985d-47aafa2dd4db
#### Attack Commands: Run with `command_prompt`!
```cmd
W32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
```
<br/>
<br/>
## Atomic Test #5 - System Time with Windows time Command
Displays the current system time via the Windows builtin time command: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/time
Recently observed in use in the wild during an incident involving Ursnif malware:
https://github.com/The-DFIR-Report/Sigma-Rules/blob/dc72f0b557fc63347379be0a33439788256761c8/rules/windows/process_creation/proc_creation_win_system_time_lookup.yml
https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
**Supported Platforms:** Windows
**auto_generated_guid:** 53ead5db-7098-4111-bb3f-563be390e72e
#### Attack Commands: Run with `command_prompt`!
```cmd
time
```
<br/>
<br/>
## Atomic Test #6 - Discover System Time Zone via Registry
Identify the Operating System Time Zone via registry with the reg.exe command.
Upon execution, the system Time Zone will be shown.
**Supported Platforms:** Windows
**auto_generated_guid:** 25c5d1f1-a24b-494a-a6c5-5f50a1ae7f47
#### Attack Commands: Run with `command_prompt`!
```cmd
reg query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" /v TimeZoneKeyName
```
<br/>
Reference in New Issue View Git Blame Copy Permalink