Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

System Time Discovery

The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. [1] [2]

An adversary may gather the system time and/or time zone from a local or remote system. This information may be gathered in a number of ways, such as with Net on Windows by performing net time \hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. [2] The information could be useful for performing other techniques, such as executing a file with a Scheduled Task [3], or to discover locality information based on time zone to assist in victim targeting.

ID: T1124

Tactic: Discovery

Platform:  Windows

Permissions Required:  User

Data Sources:  Process monitoring, Process command-line parameters, API monitoring

Version: 1.0

Examples

NameDescription
BRONZE BUTLER

BRONZE BUTLER has used net time to check the local time on a target system.[4]

GravityRAT

GravityRAT can obtain the date and time of a system.[5]

InvisiMole

InvisiMole gathers the local system time from the victim’s machine.[6]

Lazarus Group

A Destover-like implant used by Lazarus Group can obtain the current system time and send it to the C2 server.[7]

MoonWind

MoonWind obtains the victim's current time.[8]

Net

The net time command can be used in Net to determine the local or remote system time.[9]

OopsIE

OopsIE checks to see if the system is configured with "Daylight" time and checks for a specific region to be set for the timezone.[10]

PowerDuke

PowerDuke has commands to get the time the machine was built, the time, and the time zone.[11]

Proxysvc

As part of the data reconnaissance phase, Proxysvc grabs the system time to send back to the control server.[7]

RTM

RTM can obtain the victim time zone.[12]

Shamoon

Shamoon obtains the system time and will only activate if it is greater than a preset date.[13]

T9000

T9000 gathers and beacons the system time during installation.[14]

Turla

Turla surveys a system upon check-in to discover the system time by using the net time command.[15]

UPPERCUT

UPPERCUT has the capability to obtain the time zone information and current timestamp of the victim’s machine.[16]

Mitigation

Benign software uses legitimate processes to gather system time. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Some common tools, such as net.exe, may be blocked by policy to prevent common ways of acquiring remote system time.

Identify unnecessary system utilities or potentially malicious software that may be used to acquire system time information, and audit and/or block them by using whitelisting [17] tools, like AppLocker, [18] [19] or Software Restriction Policies [20] where appropriate. [21]

Detection

Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software.

References