Check out the results from our first round of ATT&CK Evaluations at!

System Time Discovery

The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. [1] [2]

An adversary may gather the system time and/or time zone from a local or remote system. This information may be gathered in a number of ways, such as with Net on Windows by performing net time \hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. [2] The information could be useful for performing other techniques, such as executing a file with a Scheduled Task [3], or to discover locality information based on time zone to assist in victim targeting.

ID: T1124

Tactic: Discovery

Platform:  Windows

Permissions Required:  User

Data Sources:  Process monitoring, Process command-line parameters, API monitoring

Version: 1.0



BRONZE BUTLER has used net time to check the local time on a target system.[4]


GravityRAT can obtain the date and time of a system.[5]


InvisiMole gathers the local system time from the victim’s machine.[6]

Lazarus Group

A Destover-like implant used by Lazarus Group can obtain the current system time and send it to the C2 server.[7]


MoonWind obtains the victim's current time.[8]


The net time command can be used in Net to determine the local or remote system time.[9]


OopsIE checks to see if the system is configured with "Daylight" time and checks for a specific region to be set for the timezone.[10]


PowerDuke has commands to get the time the machine was built, the time, and the time zone.[11]


As part of the data reconnaissance phase, Proxysvc grabs the system time to send back to the control server.[7]


RTM can obtain the victim time zone.[12]


Shamoon obtains the system time and will only activate if it is greater than a preset date.[13]


T9000 gathers and beacons the system time during installation.[14]


Turla surveys a system upon check-in to discover the system time by using the net time command.[15]


UPPERCUT has the capability to obtain the time zone information and current timestamp of the victim’s machine.[16]


Benign software uses legitimate processes to gather system time. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Some common tools, such as net.exe, may be blocked by policy to prevent common ways of acquiring remote system time.

Identify unnecessary system utilities or potentially malicious software that may be used to acquire system time information, and audit and/or block them by using whitelisting [17] tools, like AppLocker, [18] [19] or Software Restriction Policies [20] where appropriate. [21]


Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software.