Time Based Evasion

Information

• Name: Unknown

• ID: T1480.003

• Tactics:

Introduction

Time Based Evasion (T1480.003) is a sub-technique within the MITRE ATT&CK framework categorized under Defense Evasion tactics. Adversaries leverage this method to evade detection by delaying malicious activities or scheduling them to execute at specific times. This approach helps attackers blend into normal operational patterns, evade detection mechanisms, and complicate forensic investigations by obscuring the relationship between initial compromise and subsequent malicious actions.

Deep Dive Into Technique

Time Based Evasion involves adversaries deliberately scheduling or delaying execution of malicious payloads or commands to avoid detection by automated security tools or manual analysis. Attackers typically use built-in operating system utilities, scripting languages, task schedulers, or custom-developed malware with built-in timing capabilities.

Common execution methods and mechanisms include:

• Scheduled Tasks (Windows):

  • Attackers use Windows Task Scheduler (schtasks.exe) to run malicious scripts or executables at specific times or intervals.

  • Tasks may be configured to trigger during off-hours, weekends, or holidays when security monitoring is less stringent.

• Cron Jobs (Linux/Unix):

  • Adversaries leverage cron jobs to execute scripts or binaries at predetermined intervals or specific dates/times.

  • Cron configurations (/etc/crontab or user-specific crontab files) can be modified or created to automate malicious activity.

• Sleep Commands and Delays:

  • Attackers embed intentional delays (sleep, timeout) within scripts or malware payloads, causing them to execute after a defined waiting period.

  • Delays may range from minutes to days, allowing attackers to bypass sandbox analysis or automated detection systems.

• Time-based Logic in Malware:

  • Malware can contain logic to execute only after certain conditions are met, such as specific dates, system uptime, or elapsed time since infection.

  • Time-based logic can be embedded directly within malware source code, making it difficult for analysts to trigger malicious behavior in controlled environments.

Real-world procedures may involve adversaries initially establishing persistence through benign-looking tasks or scripts, then waiting days or weeks before executing more overtly malicious commands. This delayed execution strategy reduces the likelihood of detection by automated security tools and analysts conducting incident response.

When this Technique is Usually Used

Attackers typically employ Time Based Evasion in various scenarios and stages of an attack lifecycle, including:

• Initial Access and Execution Stages:

  • Malware delivered via phishing emails or malicious downloads may delay execution to bypass automated sandbox analysis.

  • Malicious payloads embedded in legitimate software updates or installers may schedule execution at later dates to avoid immediate detection.

• Persistence and Defense Evasion Stages:

  • Scheduled tasks or cron jobs are often created to maintain persistent access, executing malicious payloads at intervals or specific times.

  • Attackers may schedule tasks during off-hours or weekends, taking advantage of reduced security monitoring.

• Command-and-Control (C2) Communication:

  • Adversaries may schedule C2 callbacks or data exfiltration activities during specific time windows to blend into normal network traffic patterns.

  • Scheduled or delayed communication helps attackers evade detection by behavioral analytics and anomaly detection systems.

• Impact and Exfiltration Stages:

  • Attackers may delay data exfiltration or destructive activities until after initial compromise and lateral movement are complete, minimizing detection risk.

  • Timing attacks to coincide with organizational downtime, holidays, or weekends reduces the likelihood of immediate detection and response.

How this Technique is Usually Detected

Detection of Time Based Evasion techniques typically involves monitoring and analyzing system events, task scheduling mechanisms, and behavioral anomalies. Common detection methods include:

• Monitoring Scheduled Tasks and Cron Jobs:

  • Regularly auditing scheduled tasks (schtasks.exe) and cron jobs for unexpected or suspicious entries.

  • Utilizing endpoint detection and response (EDR) solutions to identify anomalous task creation or modification events.

• Analyzing System Logs and Event Logs:

  • Reviewing Windows Event Logs (e.g., Event ID 4698 for task creation) or Linux system logs (/var/log/syslog, /var/log/cron) for unusual scheduling activities.

  • Correlating task creation events with other suspicious indicators such as file modifications, new processes, or network connections.

• Behavioral Analysis and Sandbox Testing:

  • Employing sandbox environments capable of detecting delayed execution or sleep commands embedded in malware.

  • Extending sandbox analysis periods and using time acceleration techniques to trigger delayed malicious actions.

• Endpoint Behavioral Monitoring:

  • Implementing behavioral analytics tools that detect abnormal process execution times, unexpected delays, or unusual timing patterns.

  • Identifying processes or scripts that remain dormant for extended periods before executing malicious commands.

Indicators of Compromise (IoCs) specific to Time Based Evasion may include:

• Unexpected scheduled tasks or cron jobs referencing unknown executables or scripts.

• Suspicious scripts containing sleep commands or time-based logic.

• Anomalous system behaviors or processes activating after extended idle periods.

• Logs indicating task scheduler or cron modifications by unauthorized or unexpected user accounts.

Why it is Important to Detect This Technique

Early detection of Time Based Evasion techniques is critical for minimizing potential impacts on systems and networks. Failure to detect these tactics can lead to:

• Extended Persistence:

  • Attackers can maintain long-term access to compromised systems, increasing the risk of lateral movement and privilege escalation.

• Delayed Detection and Response:

  • Delayed execution complicates forensic analysis and incident response, making it harder to correlate malicious activities with initial compromise events.

  • Longer attacker dwell times increase the likelihood of significant damage or data exfiltration.

• Data Exfiltration and Intellectual Property Theft:

  • Attackers may schedule data exfiltration activities during periods of low monitoring, increasing the risk of sensitive data loss.

  • Delays in detecting malicious scheduled tasks or cron jobs can lead to prolonged data leakage.

• System Disruption and Operational Impact:

  • Malicious payloads scheduled for execution during off-hours or weekends may cause significant disruptions to business continuity and operations.

  • Destructive malware payloads triggered by time-based logic can lead to irreparable damage if not detected in advance.

Detecting Time Based Evasion early allows organizations to quickly respond, contain incidents, and minimize overall damage and impact.

Examples

Real-world examples of Time Based Evasion techniques include:

• APT29 (Cozy Bear):

  • Utilized scheduled tasks to execute malicious scripts at specific intervals, allowing persistent access and stealthy data exfiltration.

  • Leveraged delayed execution to evade automated sandbox analysis and behavioral detection tools.

• FIN7 Group:

  • Employed scheduled tasks to maintain persistence and execute payloads during off-hours, reducing detection likelihood.

  • Used scripts containing deliberate sleep commands to avoid immediate execution and bypass sandbox environments.

• Lazarus Group:

  • Incorporated time-based logic in malware such as WannaCry, scheduling destructive activities after specific intervals or dates.

  • Scheduled C2 communications and data exfiltration during periods of low network monitoring.

• TrickBot Malware:

  • Implemented delays using sleep commands within scripts to evade sandbox analysis and endpoint detection tools.

  • Scheduled malicious activities to occur after periods of inactivity, complicating forensic investigations and attribution.

These examples illustrate how adversaries across various threat groups and malware families leverage Time Based Evasion to maintain persistence, evade detection, and maximize impact on targeted organizations.