yugoslavskiy
30 lines
1.1 KiB
YAML
30 lines
1.1 KiB
YAML
title: Discovery of a system time
|
||
description: Identifies use of various commands to query a system’s time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
|
||
status: experimental
|
||
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
|
||
date: 2019/10/24
|
||
modified: 2019/11/11
|
||
references:
|
||
- https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html
|
||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md
|
||
tags:
|
||
- attack.discovery
|
||
- attack.t1124
|
||
detection:
|
||
selection:
|
||
- Image|endswith:
|
||
- '\net.exe'
|
||
- '\net1.exe'
|
||
CommandLine|contains: 'time'
|
||
- Image|endswith: '\w32tm.exe'
|
||
CommandLine|contains: 'tz'
|
||
- Image|endswith: '\powershell.exe'
|
||
CommandLine|contains: 'Get-Date'
|
||
condition: selection
|
||
falsepositives:
|
||
- Legitimate use of the system utilities to discover system time for legitimate reason
|
||
level: high
|
||
logsource:
|
||
category: process_creation
|
||
product: windows
|