System Time Discovery

From enterprise
Jump to: navigation, search
System Time Discovery
Technique
ID T1124
Tactic Discovery
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10
Permissions Required User
Data Sources Process monitoring, Process command-line parameters, API monitoring

The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.12

An adversary may gather the system time and/or time zone from a local or remote system. This information may be gathered in a number of ways, such as with Net on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.2 The information could be useful for performing other techniques, such as executing a file with a Scheduled Task3, or to discover locality information based on time zone to assist in victim targeting.

Examples

  • Turla surveys a system upon check-in to discover the system time by using the net time command.4
  • MoonWind obtains the victim's current time.5
  • The net time command can be used in Net to determine the local or remote system time.6
  • PowerDuke has commands to get the time the machine was built, the time, and the time zone.7
  • RTM can obtain the victim time zone.8
  • Shamoon obtains the system time and will only activate if it is greater than a preset date.9
  • T9000 gathers and beacons the system time during installation.10

Mitigation

Benign software uses legitimate processes to gather system time. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Some common tools, such as net.exe, may be blocked by policy to prevent common ways of acquiring remote system time.

Identify unnecessary system utilities or potentially malicious software that may be used to acquire system time information, and audit and/or block them by using whitelisting11 tools, like AppLocker,1213 or Software Restriction Policies14 where appropriate.15

Detection

Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software.

References