Description
An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or systemsetup on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)
System time information may be gathered in a number of ways, such as with Net on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.(Citation: Technet Windows Time Service) In addition, adversaries can discover device uptime through functions such as GetTickCount() to determine how long it has been since the system booted up.(Citation: Virtualization/Sandbox Evasion)
On network devices, Network Device CLI commands such as show clock detail can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd) On ESXi servers, esxcli system clock get can be used for the same purpose.
In addition, system calls – such as time() – have been used to collect the current time on Linux devices.(Citation: MAGNET GOBLIN) On macOS systems, adversaries may use commands such as systemsetup -gettimezone or timeIntervalSinceNow to gather current time zone information or current date and time.(Citation: System Information Discovery Technique)(Citation: ESET DazzleSpy Jan 2022)
This information could be useful for performing other techniques, such as executing a file with a Scheduled Task/Job(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. System Location Discovery). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)
Platforms
Threat Groups (14)
| ID | Group | Context |
|---|---|---|
| G0121 | Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used tools to obtain the current system time.(Citation: ATT Sidewinder January 2021) |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has obtained the victim's system timezone.(Citation: CISA AA24-038A PRC Critical Infrastructure... |
| G0126 | Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) used a function to gather the current time.(Citation: Zscaler Higaisa 2020) |
| G0128 | ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used a tool to capture the time on a compromised host in order to register it with C2.(Citation... |
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used <code>net time</code> to check the local time on a target system.(Citation: Securework... |
| G1012 | CURIUM | [CURIUM](https://attack.mitre.org/groups/G1012) deployed mechanisms to check system time information following strategic website compromise attacks.(C... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover the system time by using the <code>net time</code> command.(... |
| G0012 | Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) malware can obtain system time from a compromised host.(Citation: Lastline DarkHotel Just In Time D... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used <code>time /t</code> and <code>net time \\ip/hostname</code> for system time discovery.(Cita... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used the PowerShell script 3CF9.ps1 to execute `net time`.(Citation: BlackBerry_FIN7_April2024) |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has used installation scripts to collect the system time on targeted ESXi hosts.(Citation: Google Clo... |
| G0032 | Lazarus Group | A Destover-like implant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) can obtain the current system time and send it to the C2 server... |
| G0089 | The White Company | [The White Company](https://attack.mitre.org/groups/G0089) has checked the current date on the victim system.(Citation: Cylance Shaheen Nov 2018) |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has gathered the system time of the device using the PowerShell cmdlet `Get-Date`.(Citation: Aryaka K... |
Associated Software (81)
| ID | Name | Type | Context |
|---|---|---|---|
| S0140 | Shamoon | Malware | [Shamoon](https://attack.mitre.org/software/S0140) obtains the system time and will only activate if it is greater than a preset date.(Citation: Palo ... |
| S1178 | ShrinkLocker | Malware | [ShrinkLocker](https://attack.mitre.org/software/S1178) retrieves a system timestamp that is used in generating an encryption key.(Citation: Splunk Sh... |
| S0373 | Astaroth | Malware | [Astaroth](https://attack.mitre.org/software/S0373) collects the timestamp from the infected machine. (Citation: Cofense Astaroth Sept 2018) |
| S0251 | Zebrocy | Malware | [Zebrocy](https://attack.mitre.org/software/S0251) gathers the current time zone and date information from the system.(Citation: ESET Zebrocy Nov 2018... |
| S0596 | ShadowPad | Malware | [ShadowPad](https://attack.mitre.org/software/S0596) has collected the current date and time of the victim system.(Citation: Kaspersky ShadowPad Aug 2... |
| S0011 | Taidoor | Malware | [Taidoor](https://attack.mitre.org/software/S0011) can use <code>GetLocalTime</code> and <code>GetSystemTime</code> to collect system time.(Citation: ... |
| S0396 | EvilBunny | Malware | [EvilBunny](https://attack.mitre.org/software/S0396) has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to gather tim... |
| S0098 | T9000 | Malware | [T9000](https://attack.mitre.org/software/S0098) gathers and beacons the system time during installation.(Citation: Palo Alto T9000 Feb 2016) |
| S1051 | KEYPLUG | Malware | [KEYPLUG](https://attack.mitre.org/software/S1051) can obtain the current tick count of an infected computer.(Citation: Mandiant APT41) |
| S0039 | Net | Tool | The <code>net time</code> command can be used in [Net](https://attack.mitre.org/software/S0039) to determine the local or remote system time.(Citation... |
| S0615 | SombRAT | Malware | [SombRAT](https://attack.mitre.org/software/S0615) can execute <code>getinfo</code> to discover the current time on a compromised host.(Citation: Bla... |
| S0091 | Epic | Malware | [Epic](https://attack.mitre.org/software/S0091) uses the <code>net time</code> command to get the system time from the machine and collect the curren... |
| S9001 | SystemBC | Malware | [SystemBC](https://attack.mitre.org/software/S9001) has leveraged the time of the device to create a text file with a filename that uses the function ... |
| S1087 | AsyncRAT | Tool | [AsyncRAT](https://attack.mitre.org/software/S1087) can check whether the current system hour and day of the week are within operating hours defined i... |
| S0678 | Torisma | Malware | [Torisma](https://attack.mitre.org/software/S0678) can collect the current time on a victim machine.(Citation: McAfee Lazarus Nov 2020) |
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) has the ability to check the system’s time zone on the victim device.(Citation: Socket GlassWorm ... |
| S0275 | UPPERCUT | Malware | [UPPERCUT](https://attack.mitre.org/software/S0275) has the capability to obtain the time zone information and the current timestamp of the victim’s m... |
| S0588 | GoldMax | Malware | [GoldMax](https://attack.mitre.org/software/S0588) can check the current date-time value of the compromised system, comparing it to the hardcoded exec... |
| S0608 | Conficker | Malware | [Conficker](https://attack.mitre.org/software/S0608) uses the current UTC victim system date for domain generation and connects to time servers to det... |
| S0237 | GravityRAT | Malware | [GravityRAT](https://attack.mitre.org/software/S0237) can obtain the date and time of a system.(Citation: Talos GravityRAT) |
References
- Apple Support. (n.d.). About systemsetup in Remote Desktop. Retrieved March 27, 2024.
- ArchLinux. (2024, February 1). System Time. Retrieved March 27, 2024.
- Check Point Research. (2024, March 8). MAGNET GOBLIN TARGETS PUBLICLY FACING SERVERS USING 1-DAY VULNERABILITIES. Retrieved March 27, 2024.
- Cisco. (2023, March 6). show clock detail - Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022.
- Cone, Matt. (2021, January 14). Synchronize your Mac's Clock with a Time Server. Retrieved March 27, 2024.
- M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
- Malicious History. (2020, September 17). Time Bombs: Malware With Delayed Execution. Retrieved April 22, 2021.
- Mathers, B. (2016, September 30). Windows Time Service Tools and Settings. Retrieved November 25, 2016.
- Microsoft. (n.d.). System Time. Retrieved November 25, 2016.
- Rivner, U., Schwartz, E. (2012). They’re Inside… Now What?. Retrieved November 25, 2016.
Frequently Asked Questions
What is T1124 (System Time Discovery)?
T1124 is a MITRE ATT&CK technique named 'System Time Discovery'. It belongs to the Discovery tactic(s). An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or <code>sys...
How can T1124 be detected?
Detection of T1124 (System Time Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1124?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1124?
Known threat groups using T1124 include: Sidewinder, Volt Typhoon, Higaisa, ZIRCONIUM, BRONZE BUTLER, CURIUM, Turla, Darkhotel.