security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7d311f19f1394de014e2e504a5052128e63351b1
atomic-red-team/atomics/T1124/T1124.md
T
Atomic Red Team doc generator ad2d7c8f13 Generated docs from job=generate-docs branch=master [ci skip]
2023-11-06 22:42:54 +00:00

175 lines
4.5 KiB
Markdown
Raw Blame History

# T1124 - System Time Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1124)
<blockquote>An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time)(Citation: Technet Windows Time Service)
System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.(Citation: Technet Windows Time Service)
On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd)
This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)</blockquote>
## Atomic Tests
- [Atomic Test #1 - System Time Discovery](#atomic-test-1---system-time-discovery)
- [Atomic Test #2 - System Time Discovery - PowerShell](#atomic-test-2---system-time-discovery---powershell)
- [Atomic Test #3 - System Time Discovery in FreeBSD/macOS](#atomic-test-3---system-time-discovery-in-freebsdmacos)
- [Atomic Test #4 - System Time Discovery W32tm as a Delay](#atomic-test-4---system-time-discovery-w32tm-as-a-delay)
- [Atomic Test #5 - System Time with Windows time Command](#atomic-test-5---system-time-with-windows-time-command)
<br/>
## Atomic Test #1 - System Time Discovery
Identify the system time. Upon execution, the local computer system time and timezone will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 20aba24b-e61f-4b26-b4ce-4784f763ca20
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| computer_name | computer name to query | string | localhost|
#### Attack Commands: Run with `command_prompt`!
```cmd
net time \\#{computer_name}
w32tm /tz
```
<br/>
<br/>
## Atomic Test #2 - System Time Discovery - PowerShell
Identify the system time via PowerShell. Upon execution, the system time will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 1d5711d6-655c-4a47-ae9c-6503c74fa877
#### Attack Commands: Run with `powershell`!
```powershell
Get-Date
```
<br/>
<br/>
## Atomic Test #3 - System Time Discovery in FreeBSD/macOS
Identify system time. Upon execution, the local computer system time and timezone will be displayed.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** f449c933-0891-407f-821e-7916a21a1a6f
#### Attack Commands: Run with `sh`!
```sh
date
```
<br/>
<br/>
## Atomic Test #4 - System Time Discovery W32tm as a Delay
identifies DCRat delay time tactics using w32tm.
https://research.splunk.com/endpoint/b2cc69e7-11ba-42dc-a269-59c069a48870/
https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains
**Supported Platforms:** Windows
**auto_generated_guid:** d5d5a6b0-0f92-42d8-985d-47aafa2dd4db
#### Attack Commands: Run with `command_prompt`!
```cmd
W32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
```
<br/>
<br/>
## Atomic Test #5 - System Time with Windows time Command
Displays the current system time via the Windows builtin time command: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/time
Recently observed in use in the wild during an incident involving Ursnif malware:
https://github.com/The-DFIR-Report/Sigma-Rules/blob/dc72f0b557fc63347379be0a33439788256761c8/rules/windows/process_creation/proc_creation_win_system_time_lookup.yml
https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
**Supported Platforms:** Windows
**auto_generated_guid:** 53ead5db-7098-4111-bb3f-563be390e72e
#### Attack Commands: Run with `command_prompt`!
```cmd
time
```
<br/>
Reference in New Issue View Git Blame Copy Permalink