security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e136a49db2497ffdf91fa0d32826dc1816637554
atomic-red-team/atomics/T1124/T1124.md
T
CircleCI Atomic Red Team doc generator 910a2a764a Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-29 13:53:28 +00:00

68 lines
2.0 KiB
Markdown
Raw Blame History

# T1124 - System Time Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1124)
<blockquote>An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)
System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>. (Citation: Technet Windows Time Service) The information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting.</blockquote>
## Atomic Tests
- [Atomic Test #1 - System Time Discovery](#atomic-test-1---system-time-discovery)
- [Atomic Test #2 - System Time Discovery - PowerShell](#atomic-test-2---system-time-discovery---powershell)
<br/>
## Atomic Test #1 - System Time Discovery
Identify the system time. Upon execution, the local computer system time and timezone will be displayed.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| computer_name | computer name to query | string | localhost|
#### Attack Commands: Run with `command_prompt`!
```cmd
net time \\#{computer_name}
w32tm /tz
```
<br/>
<br/>
## Atomic Test #2 - System Time Discovery - PowerShell
Identify the system time via PowerShell. Upon execution, the system time will be displayed.
**Supported Platforms:** Windows
#### Attack Commands: Run with `powershell`!
```powershell
Get-Date
```
<br/>
Reference in New Issue View Git Blame Copy Permalink