System Time Discovery

An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. [1] [2]

System time information may be gathered in a number of ways, such as with Net on Windows by performing net time \hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. [2] The information could be useful for performing other techniques, such as executing a file with a Scheduled Task/Job [3], or to discover locality information based on time zone to assist in victim targeting.

ID: T1124
Sub-techniques:  No sub-techniques
Tactic: Discovery
Platforms: Windows
Permissions Required: User
Data Sources: API monitoring, Process command-line parameters, Process monitoring
CAPEC ID: CAPEC-295
Version: 1.1
Created: 31 May 2017
Last Modified: 15 March 2020

Procedure Examples

Name Description
Agent Tesla

Agent Tesla can collect the timestamp from the victim’s machine.[10]

Astaroth

Astaroth collects the timestamp from the infected machine. [26]

Azorult

Azorult can collect the time zone information from the system.[23][24]

BRONZE BUTLER

BRONZE BUTLER has used net time to check the local time on a target system.[37]

build_downer

build_downer has the ability to determine the local time to ensure malware installation only happens during the hours that the infected system is active.[33]

Cannon

Cannon can collect the current time zone information from the victim’s machine.[7]

Carbon

Carbon uses the command net time \127.0.0.1 to get information the system’s time.[17]

Epic

Epic uses the net time command to get the system time from the machine and collect the current date and time zone information.[11]

EvilBunny

EvilBunny has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to check to see if the malware is running in a sandbox.[29]

FELIXROOT

FELIXROOT gathers the time zone information from the victim’s machine.[14]

GravityRAT

GravityRAT can obtain the date and time of a system.[20]

GRIFFON

GRIFFON has used a reconnaissance module that can be used to retrieve the date and time of the system.[30]

HOPLIGHT

HOPLIGHT has been observed collecting system time from victim machines.[27]

InvisiMole

InvisiMole gathers the local system time from the victim’s machine.[19]

Lazarus Group

A Destover-like implant used by Lazarus Group can obtain the current system time and send it to the C2 server.[8]

Metamorfo

Metamorfo uses JavaScript to get the system time.[36]

MoonWind

MoonWind obtains the victim's current time.[5]

Net

The net time command can be used in Net to determine the local or remote system time.[4]

NOKKI

NOKKI can collect the current timestamp of the victim's machine.[15]

Okrum

Okrum can obtain the date and time of the compromised system.[31]

OopsIE

OopsIE checks to see if the system is configured with "Daylight" time and checks for a specific region to be set for the timezone.[22]

PowerDuke

PowerDuke has commands to get the time the machine was built, the time, and the time zone.[21]

Proxysvc

As part of the data reconnaissance phase, Proxysvc grabs the system time to send back to the control server.[8]

RTM

RTM can obtain the victim time zone.[18]

Shamoon

Shamoon obtains the system time and will only activate if it is greater than a preset date.[12][13]

SHARPSTATS

SHARPSTATS has the ability to identify the current date and time on the compromised host.[32]

StoneDrill

StoneDrill can obtain the current date and time of the victim machine.[28]

T9000

T9000 gathers and beacons the system time during installation.[6]

TajMahal

TajMahal has the ability to determine local time on a compromised host.[34]

The White Company

The White Company has checked the current date on the victim system.[38]

Turla

Turla surveys a system upon check-in to discover the system time by using the net time command.[11]

UPPERCUT

UPPERCUT has the capability to obtain the time zone information and current timestamp of the victim’s machine.[9]

WindTail

WindTail has the ability to generate the current date and time.[35]

Zebrocy

Zebrocy gathers the current time zone and date information from the system.[25]

Zeus Panda

Zeus Panda collects the current system time (UTC) and sends it back to the C2 server.[16]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software.

References

  1. Microsoft. (n.d.). System Time. Retrieved November 25, 2016.
  2. Mathers, B. (2016, September 30). Windows Time Service Tools and Settings. Retrieved November 25, 2016.
  3. Rivner, U., Schwartz, E. (2012). They’re Inside… Now What?. Retrieved November 25, 2016.
  4. Microsoft. (n.d.). Net time. Retrieved November 25, 2016.
  5. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  6. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  7. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  8. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  9. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  10. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  11. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  12. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  13. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
  14. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  15. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  16. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  17. GovCERT. (2016, May 23). Technical Report about the Espionage Case at RUAG. Retrieved November 7, 2018.
  18. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  19. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  1. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  2. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  3. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  4. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  5. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
  6. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  7. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  8. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  9. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  10. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  11. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
  12. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  13. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  14. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  15. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  16. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.
  17. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  18. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  19. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.