Description
Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. This may include enumerating time-based properties, such as uptime or the system clock.
Adversaries may use calls like GetTickCount and GetSystemTimeAsFileTime to discover if they are operating within a virtual machine or sandbox, or may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)
Platforms
Associated Software (47)
| ID | Name | Type | Context |
|---|---|---|---|
| S0565 | Raindrop | Malware | After initial installation, [Raindrop](https://attack.mitre.org/software/S0565) runs a computation to delay execution.(Citation: Symantec RAINDROP Jan... |
| S0626 | P8RAT | Malware | [P8RAT](https://attack.mitre.org/software/S0626) has the ability to "sleep" for a specified time to evade detection.(Citation: Securelist APT10 March ... |
| S0559 | SUNBURST | Malware | [SUNBURST](https://attack.mitre.org/software/S0559) remained dormant after initial access for a period of up to two weeks.(Citation: FireEye SUNBURST ... |
| S0574 | BendyBear | Malware | [BendyBear](https://attack.mitre.org/software/S0574) can check for analysis environments and signs of debugging using the Windows API <code>kernel32!G... |
| S0554 | Egregor | Malware | [Egregor](https://attack.mitre.org/software/S0554) can perform a long sleep (greater than or equal to 3 minutes) to evade detection.(Citation: JoeSec... |
| S0611 | Clop | Malware | [Clop](https://attack.mitre.org/software/S0611) has used the <code>sleep</code> command to avoid sandbox detection.(Citation: Unit42 Clop April 2021) |
| S0627 | SodaMaster | Malware | [SodaMaster](https://attack.mitre.org/software/S0627) has the ability to put itself to "sleep" for a specified time.(Citation: Securelist APT10 March ... |
| S0660 | Clambling | Malware | [Clambling](https://attack.mitre.org/software/S0660) can wait 30 minutes before initiating contact with C2.(Citation: Trend Micro DRBControl February ... |
| S0386 | Ursnif | Malware | [Ursnif](https://attack.mitre.org/software/S0386) has used a 30 minute delay after execution to evade sandbox monitoring tools.(Citation: TrendMicro U... |
| S0439 | Okrum | Malware | [Okrum](https://attack.mitre.org/software/S0439)'s loader can detect presence of an emulator by using two calls to GetTickCount API, and checking whet... |
| S9003 | evilginx2 | Tool | [evilginx2](https://attack.mitre.org/software/S9003) has the ability to hide phishing lures for a set time to avoid scanning by sandboxes.(Citation: B... |
| S0512 | FatDuke | Malware | [FatDuke](https://attack.mitre.org/software/S0512) can turn itself on or off at random intervals.(Citation: ESET Dukes October 2019) |
| S1066 | DarkTortilla | Malware | [DarkTortilla](https://attack.mitre.org/software/S1066) can implement the `kernel32.dll` Sleep function to delay execution for up to 300 seconds befor... |
| S1141 | LunarWeb | Malware | [LunarWeb](https://attack.mitre.org/software/S1141) can pause for a number of hours before entering its C2 communication loop.(Citation: ESET Turla Lu... |
| S1039 | Bumblebee | Malware | [Bumblebee](https://attack.mitre.org/software/S1039) has the ability to set a hardcoded and randomized sleep interval.(Citation: Proofpoint Bumblebee ... |
| S9023 | HiddenFace | Malware | [HiddenFace](https://attack.mitre.org/software/S9023) can sleep randomly between 30 and 60 seconds to avoid behavioral analysis.(Citation: ESET Hidden... |
| S0115 | Crimson | Malware | [Crimson](https://attack.mitre.org/software/S0115) can determine when it has been installed on a host for at least 15 days before downloading the fina... |
| S1138 | Gootloader | Malware | [Gootloader](https://attack.mitre.org/software/S1138) can designate a sleep period of more than 22 seconds between stages of infection.(Citation: Soph... |
| S1018 | Saint Bot | Malware | [Saint Bot](https://attack.mitre.org/software/S1018) has used the command `timeout 20` to pause the execution of its initial loader.(Citation: Palo Al... |
| S0671 | Tomiris | Malware | [Tomiris](https://attack.mitre.org/software/S0671) has the ability to sleep for at least nine minutes to evade sandbox-based analysis systems.(Citatio... |
References
Frequently Asked Questions
What is T1497.003 (Time Based Checks)?
T1497.003 is a MITRE ATT&CK technique named 'Time Based Checks'. It belongs to the Stealth, Discovery tactic(s). Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time....
How can T1497.003 be detected?
Detection of T1497.003 (Time Based Checks) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1497.003?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1497.003?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.