# T1124 System Time Discovery

-----------------------------------------------------------------------

## Technique Description

An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)

System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>. (Citation: Technet Windows Time Service)

This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)

## Technique Detection

Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software.

-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Windows

### Adversary Required Permissions:

  * User

### Data Sources:

  * **Command:** Command Execution

  * **Process:** Process Creation

  * **Process:** OS API Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used a tool to capture the time on a compromised host in order to register it with C2.(Citation: Zscaler APT31 Covid-19 October 2020)| 
| Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) used a function to gather the current time.(Citation: Zscaler Higaisa 2020)| 
| Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used tools to obtain the current system time.(Citation: ATT Sidewinder January 2021)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has used the <code>time</code> command to retrieve the current time of a compromised system.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used <code>time /t</code> and <code>net time \\ip/hostname</code> for system time discovery.(Citation: NCC Group Chimera January 2021)| 
| The White Company | [The White Company](https://attack.mitre.org/groups/G0089) has checked the current date on the victim system.(Citation: Cylance Shaheen Nov 2018)| 
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used <code>net time</code> to check the local time on a target system.(Citation: Secureworks BRONZE BUTLER Oct 2017)| 
| Lazarus Group | A Destover-like implant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) can obtain the current system time and send it to the C2 server.(Citation: McAfee GhostSecret)| 
| Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) malware can obtain system time from a compromised host.(Citation: Lastline DarkHotel Just In Time Decryption Nov 2015)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover the system time by using the <code>net time</code> command.(Citation: Kaspersky Turla)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1124)

  * [Capec](https://capec.mitre.org/data/definitions/295.html)

  * [Msdn System Time](https://msdn.microsoft.com/ms724961.aspx), Microsoft. (n.d.). System Time. Retrieved November 25, 2016.

  * [Technet Windows Time Service](https://technet.microsoft.com/windows-server-docs/identity/ad-ds/get-started/windows-time-service/windows-time-service-tools-and-settings), Mathers, B. (2016, September 30). Windows Time Service Tools and Settings. Retrieved November 25, 2016.

  * [Rsa Eu12 They'Re Inside](https://www.rsaconference.com/writable/presentations/file_upload/ht-209_rivner_schwartz.pdf), Rivner, U., Schwartz, E. (2012). They’re Inside… Now What?. Retrieved November 25, 2016.

  * [Anyrun Timebomb](https://any.run/cybersecurity-blog/time-bombs-malware-with-delayed-execution/), Malicious History. (2020, September 17). Time Bombs: Malware With Delayed Execution. Retrieved April 22, 2021.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Information Here

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### Turla 
- surveys a system upon check-in to discover the system time by using the net time command.

## Detection Blindspots

- Information Here

## Analytical References

  * [Sysinfo System Time  (microsoft)](https://docs.microsoft.com/en-us/windows/win32/sysinfo/system-time?redirectedfrom=MSDN)
  * [Windows Time Service Tools and Settings (microsoft)](https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/Windows-Time-Service-Tools-and-Settings)
  * [The Epic Turla Operation (securelist)](https://securelist.com/the-epic-turla-operation/65545/)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- The use of time commands are not inherently bad, and these events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.

#### Analytic 1

  * **Information:** Identify use of "net time" command from client after "check-in"

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Event_ID:1 AND commandline:"*net time*"```
  * **Query:** `Event_ID:1 AND commandline:"*w32tm*"`
  * **Query:** `Event_ID:1 AND commandline:"*get-date*"`
  * **Query:** `Event_ID:1 AND commandline:"*time *"`

-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

