An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. [1] [2]
System time information may be gathered in a number of ways, such as with Net on Windows by performing net time \hostname
to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz
. [2]
This information could be useful for performing other techniques, such as executing a file with a Scheduled Task/Job [3], or to discover locality information based on time zone to assist in victim targeting (i.e. System Location Discovery). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.[4]
ID | Name | Description |
---|---|---|
S0331 | Agent Tesla |
Agent Tesla can collect the timestamp from the victim’s machine.[5] |
S0622 | AppleSeed |
AppleSeed can pull a timestamp from the victim's machine.[6] |
S0373 | Astaroth |
Astaroth collects the timestamp from the infected machine. [7] |
S0344 | Azorult |
Azorult can collect the time zone information from the system.[8][9] |
S0534 | Bazar | |
S0574 | BendyBear |
BendyBear has the ability to determine local time on a compromised host.[12] |
S0268 | Bisonal |
Bisonal can check the system time set on the infected host.[13] |
S0657 | BLUELIGHT |
BLUELIGHT can collect the local time on a compromised host.[14] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has used |
S0471 | build_downer |
build_downer has the ability to determine the local time to ensure malware installation only happens during the hours that the infected system is active.[16] |
S0351 | Cannon |
Cannon can collect the current time zone information from the victim’s machine.[17] |
S0335 | Carbon |
Carbon uses the command |
G0114 | Chimera |
Chimera has used |
S0660 | Clambling | |
S0126 | ComRAT |
ComRAT has checked the victim system's date and time to perform tasks during business hours (9 to 5, Monday to Friday).[21] |
S0608 | Conficker |
Conficker uses the current UTC victim system date for domain generation and connects to time servers to determine the current date.[22][23] |
S0115 | Crimson |
Crimson has the ability to determine the date and time on a compromised host.[24] |
G0012 | Darkhotel |
Darkhotel malware can obtain system time from a compromised host.[25] |
S0673 | DarkWatchman |
DarkWatchman can collect the time zone information from the system.[26] |
S0694 | DRATzarus |
DRATzarus can use the |
S0554 | Egregor |
Egregor contains functionality to query the local/system time.[28] |
S0091 | Epic |
Epic uses the |
S0396 | EvilBunny |
EvilBunny has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to gather time metrics as part of its checks to see if the malware is running in a sandbox.[30] |
S0267 | FELIXROOT |
FELIXROOT gathers the time zone information from the victim’s machine.[31] |
S0588 | GoldMax |
GoldMax can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server.[32][33] |
S0531 | Grandoreiro |
Grandoreiro can determine the time on the victim machine via IPinfo.[34] |
S0237 | GravityRAT |
GravityRAT can obtain the date and time of a system.[35] |
S0690 | Green Lambert |
Green Lambert can collect the date and time from a compromised host.[36][37] |
S0417 | GRIFFON |
GRIFFON has used a reconnaissance module that can be used to retrieve the date and time of the system.[38] |
G0126 | Higaisa | |
S0376 | HOPLIGHT |
HOPLIGHT has been observed collecting system time from victim machines.[40] |
S0260 | InvisiMole |
InvisiMole gathers the local system time from the victim’s machine.[41][42] |
G0032 | Lazarus Group |
A Destover-like implant used by Lazarus Group can obtain the current system time and send it to the C2 server.[43] |
S0455 | Metamorfo | |
S0149 | MoonWind | |
S0039 | Net |
The |
S0353 | NOKKI |
NOKKI can collect the current timestamp of the victim's machine.[47] |
S0439 | Okrum |
Okrum can obtain the date and time of the compromised system.[48] |
S0264 | OopsIE |
OopsIE checks to see if the system is configured with "Daylight" time and checks for a specific region to be set for the timezone.[49] |
G0116 | Operation Wocao |
Operation Wocao has used the |
S0501 | PipeMon |
PipeMon can send time zone information from a compromised host to C2.[51] |
S0139 | PowerDuke |
PowerDuke has commands to get the time the machine was built, the time, and the time zone.[52] |
S0238 | Proxysvc |
As part of the data reconnaissance phase, Proxysvc grabs the system time to send back to the control server.[43] |
S0650 | QakBot | |
S0148 | RTM | |
S0596 | ShadowPad |
ShadowPad has collected the current date and time of the victim system.[55] |
S0140 | Shamoon |
Shamoon obtains the system time and will only activate if it is greater than a preset date.[56][57] |
S0450 | SHARPSTATS |
SHARPSTATS has the ability to identify the current date and time on the compromised host.[58] |
G0121 | Sidewinder |
Sidewinder has used tools to obtain the current system time.[59] |
S0692 | SILENTTRINITY |
SILENTTRINITY can collect start time information from a compromised host.[60] |
S0615 | SombRAT |
SombRAT can execute |
S0380 | StoneDrill |
StoneDrill can obtain the current date and time of the victim machine.[63] |
S0603 | Stuxnet |
Stuxnet collects the time and date of a system when it is infected.[64] |
S0098 | T9000 |
T9000 gathers and beacons the system time during installation.[65] |
S0011 | Taidoor |
Taidoor can use |
S0586 | TAINTEDSCRIBE |
TAINTEDSCRIBE can execute |
S0467 | TajMahal |
TajMahal has the ability to determine local time on a compromised host.[68] |
G0089 | The White Company |
The White Company has checked the current date on the victim system.[69] |
S0678 | Torisma |
Torisma can collect the current time on a victim machine.[70] |
G0010 | Turla |
Turla surveys a system upon check-in to discover the system time by using the |
S0275 | UPPERCUT |
UPPERCUT has the capability to obtain the time zone information and current timestamp of the victim’s machine.[71] |
S0466 | WindTail |
WindTail has the ability to generate the current date and time.[72] |
S0251 | Zebrocy |
Zebrocy gathers the current time zone and date information from the system.[73][74] |
S0330 | Zeus Panda |
Zeus Panda collects the current system time (UTC) and sends it back to the C2 server.[75] |
G0128 | ZIRCONIUM |
ZIRCONIUM has used a tool to capture the time on a compromised host in order to register it with C2.[76] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0009 | Process | OS API Execution |
Process Creation |
Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software.