System Time Discovery

Information

• Name: System Time Discovery

• ID: T1124

• Tactics:

Introduction

System Time Discovery is a technique defined in the MITRE ATT&CK framework (ID: T1124), categorized under the tactic "Discovery." Attackers leverage this technique to collect information about the system's timestamp and time zone settings. Gathering system time data helps adversaries synchronize their activities, evade detection, or ensure the effectiveness of time-sensitive attacks. Understanding and detecting this technique can significantly enhance defensive strategies and incident response capabilities.

Deep Dive Into Technique

System Time Discovery involves adversaries querying or accessing system settings to determine the local time, time zone, or synchronization status. Attackers typically execute standard commands or scripts available in operating systems to achieve this, reducing the likelihood of detection.

Common execution methods include:

• Windows Platforms:

  • Using the built-in time and date commands via the command prompt (cmd.exe).

    Copy

    time /T
    date /T

  • PowerShell commands:

    Copy

    Get-Date
    [System.TimeZoneInfo]::Local

  • Querying Windows Management Instrumentation (WMI):

    Copy

    wmic os get localdatetime

• Linux/Unix Platforms:

  • Using built-in commands like date, timedatectl, or checking system configuration files:

    Copy

    date
    timedatectl
    cat /etc/timezone
    ls -l /etc/localtime

  • Reading system logs or configuration files to infer time settings.

Attackers may also access system APIs or environment variables programmatically within malware or scripts to retrieve accurate timing information.

Real-world procedures often combine this technique with automation scripts or embedded commands within malware payloads, allowing adversaries to quickly gather system information during initial reconnaissance or lateral movement stages.

When this Technique is Usually Used

Attackers utilize System Time Discovery across various stages and scenarios, including:

• Initial Reconnaissance:

  • Gathering system information immediately after gaining initial access to understand the victim environment.

• Defense Evasion and Persistence:

  • Synchronizing malicious payload execution with specific time frames to evade detection mechanisms such as scheduled scans or monitoring tools.

  • Ensuring malware executes at appropriate local business hours to blend in with legitimate system activities.

• Credential Access and Lateral Movement:

  • Correlating timestamps to identify active user sessions or scheduled tasks, aiding in lateral movement strategies.

• Command and Control (C2):

  • Synchronizing beaconing or callbacks with specific time windows to evade anomaly detection systems.

• Impact and Exfiltration:

  • Coordinating data exfiltration activities during off-hours or periods of reduced monitoring.

Due to its simplicity and low detection profile, adversaries frequently incorporate this technique into automated scripts and malware payloads, making it prevalent across numerous attack campaigns.

How this Technique is Usually Detected

Detection methods for System Time Discovery typically involve monitoring command execution, process creation events, and anomalous script behavior. Effective detection strategies include:

• Process and Command Line Monitoring:

  • Monitoring execution of commands related to system time retrieval (e.g., date, time, timedatectl, wmic).

  • Analyzing command-line logging from endpoint detection and response (EDR) solutions or security information and event management (SIEM) platforms.

• Endpoint Detection and Response (EDR) Solutions:

  • Implementing rules to flag suspicious or unexpected execution of common system-time commands.

  • Behavioral analysis to detect abnormal patterns or frequency of system-time queries.

• Security Information and Event Management (SIEM):

  • Correlating logs from endpoints, servers, and network devices to identify unusual patterns or spikes in system-time queries.

  • Leveraging threat intelligence feeds to identify known malicious scripts or malware associated with this technique.

• File and Registry Auditing:

  • Monitoring access to files related to system time configuration, such as /etc/timezone or Windows registry keys (HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation).

Indicators of Compromise (IoCs) for this technique include:

• Frequent or repeated execution of commands like wmic os get localdatetime, date, time, or timedatectl.

• Unusual scripts or binaries querying system time information.

• Suspicious processes accessing system configuration files or registry keys related to time settings.

Why it is Important to Detect This Technique

Detecting System Time Discovery is crucial for several reasons:

• Early Warning Indicator:

  • Often an initial reconnaissance step; detecting this activity enables security teams to identify and respond to intrusions at an early stage.

• Defense Evasion Prevention:

  • Attackers frequently synchronize attacks to evade monitoring; detecting time discovery helps disrupt their timing strategies.

• Reducing Attack Impact:

  • Early detection of reconnaissance activities limits adversaries' ability to execute more damaging and coordinated attacks.

• Improved Incident Response:

  • Understanding attacker timelines and synchronization efforts aids incident responders in reconstructing attack sequences and mitigating damage effectively.

• Enhanced Threat Intelligence:

  • Identifying and analyzing this technique contributes to broader threat intelligence efforts, improving defensive measures and preventative controls across the organization.

Failure to detect this seemingly benign reconnaissance technique can lead to prolonged attacker presence, increased risk of lateral movement, and greater overall damage to organizational assets.

Examples

Real-world examples demonstrating System Time Discovery include:

• APT29 (Cozy Bear):

  • This threat actor has been observed using PowerShell commands like Get-Date and WMI queries (wmic os get localdatetime) during reconnaissance phases to determine system time and synchronize their operations.

• FIN7 Group:

  • Known for financial cybercrime, FIN7 utilized scripts and malware that executed standard Windows commands (date, time) to gather local system time, aiding in scheduling malware execution and exfiltration activities during low-visibility periods.

• TrickBot Malware:

  • TrickBot, a widespread banking trojan, leveraged system time discovery commands to synchronize its communication with command-and-control servers, avoiding detection by timing beaconing activities during expected system idle periods.

• Lazarus Group:

  • The North Korean-linked Lazarus Group utilized Linux commands (date, timedatectl) in their malware to retrieve system time information, helping coordinate attacks and evade monitoring by timing their activities appropriately.

In these scenarios, adversaries used readily available system commands, scripts, or malware-embedded functions to query system time, enabling synchronization, stealth, and improved effectiveness of their malicious operations. Detecting and responding to such activities promptly can significantly reduce the success rate and impact of these sophisticated attacks.