Which SIEM platforms have a T1124 detection rule?

df00tech provides T1124 (System Time Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect System Time Discovery (T1124)?

Detecting System Time Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1124 detection?

The T1124 detection is rated low severity with low confidence.

What are common false positives for T1124?

Common false positives for T1124 include: NTP monitoring tools and network management platforms (SolarWinds, PRTG, Nagios) that routinely query system time for drift detection; IT automation scripts (Ansible, PowerShell DSC, SCCM) that check system time before applying scheduled changes or patches; Software installations and license managers that validate the system clock before activating features or checking certificate expiry.

T1124

System Time Discovery

Discovery Last updated: April 18, 2026

Adversaries may gather the system time and/or time zone settings from a local or remote system. System time is commonly queried to support time-bomb payloads (activating only after a preset date), sandbox evasion (detecting analysis environments via uptime or timestamp checks), encryption key generation seeded with timestamps, and victim targeting based on locale inference from timezone. Common methods include net time, w32tm /tz, GetSystemTime(), GetTickCount(), timedatectl, systemsetup -gettimezone, and ESXi-specific commands like esxcli system clock get. Malware families including Shamoon, ShrinkLocker, EvilBunny, Zebrocy, and Taidoor have all used system time queries for these purposes.

What is T1124 System Time Discovery?

System Time Discovery (T1124) maps to the Discovery tactic — the adversary is trying to figure out your environment in MITRE ATT&CK.

This page provides production-ready detection logic for System Time Discovery, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated low severity at low confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Discovery
Technique: T1124 System Time Discovery
Canonical reference: https://attack.mitre.org/techniques/T1124/

Microsoft Sentinel / Defender

kusto

let TimeDiscoveryCmds = dynamic([
  "net time", "w32tm", "GetTickCount", "GetSystemTime", "GetLocalTime",
  "NtQuerySystemTime", "timeIntervalSinceNow", "systemsetup -gettimezone",
  "systemsetup -getnetworktimeserver", "timedatectl", "show clock",
  "esxcli system clock", "clock detail"
]);
let TimeDiscoveryBinaries = dynamic([
  "net.exe", "net1.exe", "w32tm.exe", "systemsetup", "timedatectl"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName in~ (TimeDiscoveryBinaries) and ProcessCommandLine has_any (TimeDiscoveryCmds))
    or (FileName =~ "net.exe" and ProcessCommandLine has "time")
    or (FileName =~ "net1.exe" and ProcessCommandLine has "time")
    or (FileName =~ "w32tm.exe")
    or (ProcessCommandLine has "w32tm" and ProcessCommandLine has_any ("/tz", "/query", "/stripchart"))
    or (ProcessCommandLine has "net" and ProcessCommandLine has "time" and ProcessCommandLine has "\\\\")  // remote time query
)
| extend IsRemoteTimeQuery = ProcessCommandLine has "\\\\"  // net time \\hostname pattern
| extend IsTimezoneQuery = ProcessCommandLine has_any ("/tz", "timezone", "gettimezone")
| extend IsUptimeQuery = ProcessCommandLine has_any ("GetTickCount", "uptime", "/stripchart")
| extend SuspiciousParent = InitiatingProcessFileName in~ (
    "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "cmd.exe", "regsvr32.exe", "rundll32.exe",
    "svchost.exe", "explorer.exe"
  )
| extend SuspicionScore = toint(IsRemoteTimeQuery) + toint(IsTimezoneQuery) + toint(IsUptimeQuery) + toint(SuspiciousParent)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsRemoteTimeQuery, IsTimezoneQuery, IsUptimeQuery, SuspiciousParent, SuspicionScore
| sort by Timestamp desc

Detects system time and timezone discovery commands using Microsoft Defender for Endpoint DeviceProcessEvents. Covers net time (local and remote), w32tm queries, and timezone enumeration. Enriches each event with context flags for remote time queries (net time \\hostname), timezone queries, uptime checks, and suspicious parent processes. A suspicion score aggregates these indicators to help analysts prioritize — isolated time checks score low, but time discovery launched by scripting engines or LOLBins score higher.

low severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

NTP monitoring tools and network management platforms (SolarWinds, PRTG, Nagios) that routinely query system time for drift detection
IT automation scripts (Ansible, PowerShell DSC, SCCM) that check system time before applying scheduled changes or patches
Software installations and license managers that validate the system clock before activating features or checking certificate expiry
Backup and replication agents that synchronize timestamps across systems or verify time consistency before initiating jobs
Security tools and SIEMs that query w32tm for time-sync audit compliance checks

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
(Image="*\\net.exe" OR Image="*\\net1.exe" OR Image="*\\w32tm.exe")
| eval CommandLine=lower(CommandLine)
| eval IsNetTime=if(match(CommandLine, "net(1)?\.exe.*\btime\b"), 1, 0)
| eval IsRemoteTimeQuery=if(match(CommandLine, "net(1)?\.exe.*\btime\b.*\\\\"), 1, 0)
| eval IsW32tmQuery=if(match(Image, "w32tm"), 1, 0)
| eval IsTimezoneQuery=if(match(CommandLine, "(/tz|/query|timezone|gettimezone)"), 1, 0)
| eval IsUptimeQuery=if(match(CommandLine, "(stripchart|gettickcount|uptime)"), 1, 0)
| eval SuspiciousParent=if(match(lower(ParentImage), "(powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32)"), 1, 0)
| eval SuspicionScore=IsNetTime + IsRemoteTimeQuery + IsW32tmQuery + IsTimezoneQuery + IsUptimeQuery + SuspiciousParent
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        IsNetTime, IsRemoteTimeQuery, IsW32tmQuery, IsTimezoneQuery, IsUptimeQuery, SuspiciousParent, SuspicionScore
| sort - _time

Detects system time discovery activity using Sysmon Event ID 1 (Process Creation). Monitors net.exe, net1.exe, and w32tm.exe invocations for time-related subcommands. Assigns Boolean indicator fields and a cumulative suspicion score to allow threshold-based alerting. Remote time queries (net time \\hostname) and time commands launched by scripting interpreters receive higher scores and should be prioritized for analyst review.

low severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

NTP monitoring tools and network management platforms (SolarWinds, PRTG, Nagios) that routinely query system time for drift detection
IT automation scripts (Ansible, PowerShell DSC, SCCM) that check system time before applying scheduled changes or patches
Software installations and license managers that validate the system clock before activating features or checking certificate expiry
Backup and replication agents that synchronize timestamps across systems or verify time consistency before initiating jobs
Security tools and SIEMs that query w32tm for time-sync audit compliance checks

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip",
  username,
  "Process Name" AS process_name,
  "Process CommandLine" AS command_line,
  "Parent Process Path" AS parent_process,
  CASE
    WHEN LOWER("Process CommandLine") MATCHES '.*net1?\.exe.*\\btime\\b.*\\\\\\\\.*' THEN 1
    ELSE 0
  END AS is_remote_time_query,
  CASE
    WHEN LOWER("Process CommandLine") MATCHES '.*((/tz)|(/query)|timezone|gettimezone).*' THEN 1
    ELSE 0
  END AS is_timezone_query,
  CASE
    WHEN LOWER("Process CommandLine") MATCHES '.*(stripchart|gettickcount|uptime).*' THEN 1
    ELSE 0
  END AS is_uptime_query,
  CASE
    WHEN LOWER("Parent Process Path") MATCHES '.*(powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32).*' THEN 1
    ELSE 0
  END AS suspicious_parent
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND eventid IN (4688, 1)
  AND (
    (LOWER("Process Name") MATCHES '.*(\\\\|/)net1?\.exe' AND LOWER("Process CommandLine") LIKE '%time%')
    OR LOWER("Process Name") MATCHES '.*(\\\\|/)w32tm\.exe'
    OR (LOWER("Process Name") MATCHES '.*(\\\\|/)timedatectl' AND LOWER("Process CommandLine") MATCHES '.*(status|show|timesync).*')
    OR (LOWER("Process Name") MATCHES '.*(\\\\|/)systemsetup' AND LOWER("Process CommandLine") MATCHES '.*(-gettimezone|-getnetworktimeserver).*')
    OR (LOWER("Process CommandLine") MATCHES '.*esxcli.*system.*clock.*')
  )
  AND LAST 24 HOURS
ORDER BY starttime DESC

QRadar AQL query detecting system time discovery activity from Windows Security Event Log (EventID 4688) and Sysmon (EventID 1) process creation events. Flags net time, w32tm, timedatectl, systemsetup, and ESXi clock queries with enrichment fields for remote queries, timezone queries, and suspicious parent processes.

low severity medium confidence

Data Sources

Windows Security Event Log Sysmon via QRadar DSM Linux OS logs

Required Tables

events

False Positives

Domain-joined workstations running net time against a domain controller as part of normal Kerberos pre-authentication clock sync procedures
Windows Time Service (W32Time) itself logging w32tm.exe process activity during scheduled NTP synchronization cycles
Linux infrastructure automation tools (Ansible, Chef, Puppet) invoking timedatectl to verify or set system time during provisioning runbooks

Sumo Logic CSE

sql

(_sourceCategory="os/windows/sysmon" OR _sourceCategory="os/windows/security")
| where EventID in ("1", "4688")
| parse field=CommandLine "*" as command_line nodrop
| parse field=Image "*" as image_path nodrop
| parse field=ParentImage "*" as parent_image nodrop
| where (
    (matches(toLowerCase(image_path), ".*\\\\net\.exe") and matches(toLowerCase(command_line), ".*\btime\b.*"))
    or (matches(toLowerCase(image_path), ".*\\\\net1\.exe") and matches(toLowerCase(command_line), ".*\btime\b.*"))
    or matches(toLowerCase(image_path), ".*\\\\w32tm\.exe")
    or (matches(toLowerCase(image_path), ".*\\\\timedatectl") and matches(toLowerCase(command_line), ".*(status|show|timesync-status).*"))
    or (matches(toLowerCase(image_path), ".*\\\\systemsetup") and matches(toLowerCase(command_line), ".*(gettimezone|getnetworktimeserver).*"))
    or matches(toLowerCase(command_line), ".*esxcli.*system.*clock.*")
  )
| eval is_remote_time = if(matches(toLowerCase(command_line), ".*net1?\.exe.*\btime\b.*\\\\\\\\.+"), 1, 0)
| eval is_timezone_query = if(matches(toLowerCase(command_line), ".*(/tz|/query|timezone|gettimezone).*"), 1, 0)
| eval is_uptime_query = if(matches(toLowerCase(command_line), ".*(stripchart|gettickcount|uptime).*"), 1, 0)
| eval suspicious_parent = if(matches(toLowerCase(parent_image), ".*(powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32).*"), 1, 0)
| eval suspicion_score = is_remote_time + is_timezone_query + is_uptime_query + suspicious_parent
| where suspicion_score > 0
| fields _messageTime, Computer, User, image_path, command_line, parent_image, is_remote_time, is_timezone_query, is_uptime_query, suspicious_parent, suspicion_score
| sort by _messageTime desc

Sumo Logic CQL query detecting T1124 System Time Discovery from Windows Sysmon and Security event logs. Parses process creation events to identify net time, w32tm, timedatectl, systemsetup, and ESXi clock commands, enriching with suspicion scoring for remote queries, timezone enumeration, and suspicious parent processes.

low severity medium confidence

Data Sources

Sysmon (Windows) Windows Security Event Log Linux syslog with auditd

Required Tables

_sourceCategory=os/windows/sysmon _sourceCategory=os/windows/security

False Positives

IT helpdesk scripts that query net time against domain controllers to diagnose Kerberos authentication failures caused by clock skew exceeding the 5-minute tolerance
Backup software agents that verify system time prior to initiating backup jobs to ensure accurate timestamp metadata on backup archives
Security baseline scanning tools (CIS-CAT, SCAP scanners) that query timedatectl or w32tm as part of configuration compliance assessments

Google Chronicle / SecOps

yaral

rule t1124_system_time_discovery {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects MITRE ATT&CK T1124 System Time Discovery via common time-querying binaries"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1124"
    severity = "LOW"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.principal.process.file.full_path, `(?i)(\\|/)net1?\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)\btime\b`)
      ) or
      re.regex($e.target.process.file.full_path, `(?i)(\\|/)w32tm\.exe$`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)timedatectl$`) and
        re.regex($e.target.process.command_line, `(?i)(status|show|timesync-status)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)systemsetup$`) and
        re.regex($e.target.process.command_line, `(?i)(-gettimezone|-getnetworktimeserver)`)
      ) or
      re.regex($e.target.process.command_line, `(?i)esxcli\s+system\s+clock`)
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_path = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path
    $is_remote_query = if(
      re.regex($e.target.process.command_line, `(?i)net1?\.exe.*\btime\b.*\\\\`),
      "true", "false"
    )
    $is_timezone_query = if(
      re.regex($e.target.process.command_line, `(?i)(/tz|/query|timezone|gettimezone)`),
      "true", "false"
    )
    $suspicious_parent = if(
      re.regex($e.principal.process.file.full_path, `(?i)(powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32)\.exe`),
      "true", "false"
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting T1124 System Time Discovery. Matches process launch events in UDM where time-discovery binaries (net.exe, net1.exe, w32tm.exe, timedatectl, systemsetup) are executed, with outcome fields enriching the alert with remote query indicators, timezone query flags, and suspicious parent process identification.

low severity high confidence

Data Sources

Chronicle UDM (Unified Data Model) Windows Event Logs via Chronicle forwarder Endpoint telemetry via Chronicle agents

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Group Policy processing by svchost.exe or gpscript.exe invoking net time against domain controllers during logon script execution
Legitimate system administration via remote management tools (PsExec, WinRM) where an admin runs w32tm /resync remotely on servers during maintenance windows
EDR or asset management agents that enumerate system time during periodic inventory collection to detect configuration drift

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\|\/)((net1?\.exe)|(w32tm\.exe)|(timedatectl)|(systemsetup))$/
| CommandLine = /.+/
| case {
    ImageFileName = /(?i)net1?\.exe/ AND CommandLine = /(?i)\btime\b/ | IsNetTime := "true";
    * | IsNetTime := "false"
  }
| case {
    CommandLine = /(?i)net1?\.exe.*\btime\b.*\\\\/ | IsRemoteTimeQuery := "true";
    * | IsRemoteTimeQuery := "false"
  }
| case {
    ImageFileName = /(?i)w32tm\.exe/ | IsW32tmQuery := "true";
    * | IsW32tmQuery := "false"
  }
| case {
    CommandLine = /(?i)(\/tz|\/query|timezone|gettimezone)/ | IsTimezoneQuery := "true";
    * | IsTimezoneQuery := "false"
  }
| case {
    CommandLine = /(?i)(stripchart|gettickcount|uptime)/ | IsUptimeQuery := "true";
    * | IsUptimeQuery := "false"
  }
| case {
    ParentBaseFileName = /(?i)(powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32)\.exe/ | SuspiciousParent := "true";
    * | SuspiciousParent := "false"
  }
| SuspicionScore :=
    if(IsNetTime = "true", 1, 0) +
    if(IsRemoteTimeQuery = "true", 1, 0) +
    if(IsW32tmQuery = "true", 1, 0) +
    if(IsTimezoneQuery = "true", 1, 0) +
    if(IsUptimeQuery = "true", 1, 0) +
    if(SuspiciousParent = "true", 1, 0)
| SuspicionScore > 0
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, IsNetTime, IsRemoteTimeQuery, IsW32tmQuery, IsTimezoneQuery, IsUptimeQuery, SuspiciousParent, SuspicionScore])
| sort(field=@timestamp, order=desc)

CrowdStrike LogScale (Falcon) CQL query detecting T1124 System Time Discovery using ProcessRollup2 events from the Falcon sensor. Identifies time-discovery binaries (net.exe, net1.exe, w32tm.exe, timedatectl, systemsetup) and enriches events with suspicion scoring covering remote time queries, timezone enumeration, uptime checks, and execution from suspicious parent processes.

low severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2) Falcon Complete / Insight telemetry

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Windows NTP client (W32Time service) spawning w32tm.exe for scheduled synchronization appearing as w32tm /resync /force under svchost.exe
Enterprise monitoring platforms (SolarWinds, SCOM) executing net time periodically against servers to detect and alert on clock drift before it impacts authentication services
DevOps CI/CD pipeline agents running timedatectl or net time as a pre-flight check to ensure consistent timestamps on build artifacts and code signing operations

Sigma rule & cross-platform mapping

The detection logic for System Time Discovery (T1124) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1124 Sigma rules on detection.fyi

Platform-specific guides for T1124

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-18 Research depth: deep

References (8)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Local System Time Query via net time
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe, CommandLine='net time'. Security Event ID 4688 (if command line auditing enabled). Parent process will be cmd.exe or the test runner.
Test 2Timezone and Time Source Discovery via w32tm
Expected signal: Sysmon Event ID 1: Two Process Create events — w32tm.exe with CommandLine 'w32tm /tz' and 'w32tm /query /status'. Security Event ID 4688 for each invocation if audit process creation is enabled.
Test 3Remote System Time Discovery via net time with hostname
Expected signal: Sysmon Event ID 1: Process Create with Image=net.exe, CommandLine containing 'net time \\<hostname>'. Sysmon Event ID 3: Network connection to the target host on port 445 (SMB). Security Event ID 4688 if audit policy is configured.
Test 4System Time Discovery via PowerShell (Scripted Discovery Simulation)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing '[DateTime]::UtcNow', '[Environment]::TickCount', and '[System.TimeZoneInfo]'. PowerShell ScriptBlock Logging Event ID 4104 captures the full script. Sysmon Event ID 11: File Create for df00tech-time.txt in %TEMP%.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1124 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

System Time Discovery

What is T1124 System Time Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1124

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

What is T1124 System Time Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1124

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox