Untrusted or unusual process/script (cmd.exe, powershell.exe, w32tm.exe, net.exe, custom binaries) queries system time/timezone (e.g., w32tm /tz, net time \host, Get-TimeZone, GetTickCount API) and (optionally) is followed within a short window by time-based scheduling or conditional execution (e.g., schtasks /create, at.exe, PowerShell Start-Sleep with large values).
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4103 |
| OS API Execution (DC0021) | etw:Microsoft-Windows-Kernel-Process | High-frequency or suspicious sequence of QueryPerformanceCounter/GetTickCount API calls from a non-standard process lineage |
| Scheduled Job Creation (DC0001) | WinEventLog:TaskScheduler | EventCode=106 |
| Scheduled Job Metadata (DC0005) | WinEventLog:TaskScheduler | Task registration/execution shortly after a time discovery event |
| Process Metadata (DC0034) | EDR:Telemetry | Process lineage and API usage enrichment (GetSystemTime, GetTimeZoneInformation, NtQuerySystemTime) |
| Field | Description |
|---|---|
| TimeWindow | Correlation window (e.g., 5–15 minutes) between time discovery and follow-on scheduling/conditional actions. |
| AllowedParents | Legitimate parent processes (e.g., corporate scripts, management agents) that frequently call time APIs. |
| CommandlineKeywordList | Extend/restrict keyword list for time queries (e.g., custom PS functions, .NET calls). |
| UserContextScope | Restrict to non-service, non-administrative, or newly created/rare users. |
| ProcessPrevalenceThreshold | Frequency threshold to exclude common estate-wide benign usage. |
A process (often spawned by a shell, interpreter, or malware implant) executes time discovery via commands (date, timedatectl, hwclock, cat /etc/timezone, /proc/uptime) or direct syscalls (time(), clock_gettime) and is (optionally) followed by scheduled task creation/modification (crontab, at) or conditional sleep logic.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | type=EXECVE or SYSCALL for /bin/date, /usr/bin/timedatectl, /sbin/hwclock, /bin/cat /etc/timezone, /bin/cat /proc/uptime |
| OS API Execution (DC0021) | auditd:SYSCALL | Rules capturing clock_gettime, time, gettimeofday syscalls when enabled |
| User Account Authentication (DC0002) | linux:syslog | sudo/date/timedatectl execution by non-standard users |
| Scheduled Job Metadata (DC0005) | linux::cron | crontab or at job created within TimeWindow post time discovery |
| Field | Description |
|---|---|
| AuditRulesSyscalls | Scope of syscalls (time, clock_gettime, gettimeofday) monitored; may be performance-sensitive. |
| AllowedBinaries | List of legitimate automation/orchestration tools frequently querying time. |
| TimeWindow | Correlation window (e.g., 5–20 minutes) to link time discovery to follow-on cron/at changes. |
| UserContextScope | Ignore root-owned maintenance agents if desired; focus on interactive or newly created users. |
Process/script execution of systemsetup -gettimezone, date, ioreg, or API usage (timeIntervalSinceNow, gettimeofday) followed by time-based scheduling (launchd plist modification) or sleep-based execution.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process exec events of systemsetup, date, ioreg with command_line parameters indicating time discovery |
| Scheduled Job Metadata (DC0005) | macos:unifiedlog | New/modified launchd plist (persistence/scheduling) within TimeWindow after time query |
| Field | Description |
|---|---|
| LaunchdPaths | Organization-specific list of allowed launchd write locations to filter benign agents. |
| TimeWindow | Correlation window to link time discovery to launchd persistence/scheduling. |
| AllowedCallers | Known management agents (e.g., JAMF) that legitimately call systemsetup/date. |
Interactive or remote shell/API invocation of esxcli system clock get or querying time parameters via hostd/vpxa shortly followed by time/ntp configuration checks or scheduled task creation, executed by non-standard accounts or outside maintenance windows.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | esxi:shell | /var/log/shell.log entries containing "esxcli system clock get" |
| Process Metadata (DC0034) | esxi:hostd | /var/log/hostd.log API calls reading/altering time/ntp settings |
| Scheduled Job Metadata (DC0005) | esxi:syslog | /var/log/vpxa.log task invocations tied to time configuration |
| Field | Description |
|---|---|
| MaintenanceWindow | Only alert if outside approved ops windows. |
| PrivilegedAccountsAllowList | Suppress alerts for known service accounts. |
| RemoteIPAllowList | Whitelist management station IPs. |
| TimeWindow | Correlation between esxcli time query and subsequent hostd/vpxa config calls. |
Non-standard or rare users/locations issue CLI commands like "show clock detail" or "show timezone"; optionally followed by configuration of time/timezone or NTP sources. AAA/TACACS+ accounting and syslog correlate execution to identity, source IP, and privilege level.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | networkdevice:syslog | command-exec: CLI commands containing "show clock", "show clock detail", "show timezone" executed by suspicious user/source |
| File Modification (DC0061) | networkdevice:config | config-change: timezone or ntp server configuration change after a time query command |
| Field | Description |
|---|---|
| AllowedAdminSubnets | Only alert on access from outside the NOC/management subnets. |
| KnownMaintenanceUsers | Whitelist known automation/orchestration accounts. |
| TimeWindow | Correlation window between time query and config change. |