T1124 System Time Discovery Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let TimeDiscoveryCmds = dynamic([
  "net time", "w32tm", "GetTickCount", "GetSystemTime", "GetLocalTime",
  "NtQuerySystemTime", "timeIntervalSinceNow", "systemsetup -gettimezone",
  "systemsetup -getnetworktimeserver", "timedatectl", "show clock",
  "esxcli system clock", "clock detail"
]);
let TimeDiscoveryBinaries = dynamic([
  "net.exe", "net1.exe", "w32tm.exe", "systemsetup", "timedatectl"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName in~ (TimeDiscoveryBinaries) and ProcessCommandLine has_any (TimeDiscoveryCmds))
    or (FileName =~ "net.exe" and ProcessCommandLine has "time")
    or (FileName =~ "net1.exe" and ProcessCommandLine has "time")
    or (FileName =~ "w32tm.exe")
    or (ProcessCommandLine has "w32tm" and ProcessCommandLine has_any ("/tz", "/query", "/stripchart"))
    or (ProcessCommandLine has "net" and ProcessCommandLine has "time" and ProcessCommandLine has "\\\\")  // remote time query
)
| extend IsRemoteTimeQuery = ProcessCommandLine has "\\\\"  // net time \\hostname pattern
| extend IsTimezoneQuery = ProcessCommandLine has_any ("/tz", "timezone", "gettimezone")
| extend IsUptimeQuery = ProcessCommandLine has_any ("GetTickCount", "uptime", "/stripchart")
| extend SuspiciousParent = InitiatingProcessFileName in~ (
    "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "cmd.exe", "regsvr32.exe", "rundll32.exe",
    "svchost.exe", "explorer.exe"
  )
| extend SuspicionScore = toint(IsRemoteTimeQuery) + toint(IsTimezoneQuery) + toint(IsUptimeQuery) + toint(SuspiciousParent)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsRemoteTimeQuery, IsTimezoneQuery, IsUptimeQuery, SuspiciousParent, SuspicionScore
| sort by Timestamp desc

low severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

NTP monitoring tools and network management platforms (SolarWinds, PRTG, Nagios) that routinely query system time for drift detection
IT automation scripts (Ansible, PowerShell DSC, SCCM) that check system time before applying scheduled changes or patches
Software installations and license managers that validate the system clock before activating features or checking certificate expiry
Backup and replication agents that synchronize timestamps across systems or verify time consistency before initiating jobs
Security tools and SIEMs that query w32tm for time-sync audit compliance checks

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
(Image="*\\net.exe" OR Image="*\\net1.exe" OR Image="*\\w32tm.exe")
| eval CommandLine=lower(CommandLine)
| eval IsNetTime=if(match(CommandLine, "net(1)?\.exe.*\btime\b"), 1, 0)
| eval IsRemoteTimeQuery=if(match(CommandLine, "net(1)?\.exe.*\btime\b.*\\\\"), 1, 0)
| eval IsW32tmQuery=if(match(Image, "w32tm"), 1, 0)
| eval IsTimezoneQuery=if(match(CommandLine, "(/tz|/query|timezone|gettimezone)"), 1, 0)
| eval IsUptimeQuery=if(match(CommandLine, "(stripchart|gettickcount|uptime)"), 1, 0)
| eval SuspiciousParent=if(match(lower(ParentImage), "(powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32)"), 1, 0)
| eval SuspicionScore=IsNetTime + IsRemoteTimeQuery + IsW32tmQuery + IsTimezoneQuery + IsUptimeQuery + SuspiciousParent
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        IsNetTime, IsRemoteTimeQuery, IsW32tmQuery, IsTimezoneQuery, IsUptimeQuery, SuspiciousParent, SuspicionScore
| sort - _time

low severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

NTP monitoring tools and network management platforms (SolarWinds, PRTG, Nagios) that routinely query system time for drift detection
IT automation scripts (Ansible, PowerShell DSC, SCCM) that check system time before applying scheduled changes or patches
Software installations and license managers that validate the system clock before activating features or checking certificate expiry
Backup and replication agents that synchronize timestamps across systems or verify time consistency before initiating jobs
Security tools and SIEMs that query w32tm for time-sync audit compliance checks

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and
   (
     (process.name in~ ("net.exe", "net1.exe") and process.args : "time") or
     process.name == "w32tm.exe" or
     (process.name == "timedatectl" and process.args in ("status", "show", "timesync-status")) or
     (process.name == "systemsetup" and process.args in ("-gettimezone", "-getnetworktimeserver")) or
     (process.args : ("esxcli") and process.command_line : "*system clock*")
   ) and
   process.parent.name in~ ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "cmd.exe", "regsvr32.exe", "rundll32.exe", "svchost.exe")
  ]

any where
  (
    process.name in~ ("net.exe", "net1.exe") and process.command_line : ("*time*\\\\*") /* remote time query */
  ) or
  (
    process.name == "w32tm.exe" and process.args in ("/tz", "/query", "/stripchart")
  ) or
  (
    process.name in~ ("net.exe", "net1.exe") and process.args : "time"
  )

low severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Auditbeat

Required Tables

logs-endpoint.events.process-* winlogbeat-* auditbeat-*

False Positives

Legitimate IT administrators running w32tm /query or w32tm /resync for NTP synchronization troubleshooting
Automated deployment scripts using net time to synchronize clocks before performing time-sensitive operations such as Kerberos ticket requests
Monitoring agents or SCOM/Nagios scripts that periodically query system time to detect clock drift across infrastructure

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip",
  username,
  "Process Name" AS process_name,
  "Process CommandLine" AS command_line,
  "Parent Process Path" AS parent_process,
  CASE
    WHEN LOWER("Process CommandLine") MATCHES '.*net1?\.exe.*\\btime\\b.*\\\\\\\\.*' THEN 1
    ELSE 0
  END AS is_remote_time_query,
  CASE
    WHEN LOWER("Process CommandLine") MATCHES '.*((/tz)|(/query)|timezone|gettimezone).*' THEN 1
    ELSE 0
  END AS is_timezone_query,
  CASE
    WHEN LOWER("Process CommandLine") MATCHES '.*(stripchart|gettickcount|uptime).*' THEN 1
    ELSE 0
  END AS is_uptime_query,
  CASE
    WHEN LOWER("Parent Process Path") MATCHES '.*(powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32).*' THEN 1
    ELSE 0
  END AS suspicious_parent
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND eventid IN (4688, 1)
  AND (
    (LOWER("Process Name") MATCHES '.*(\\\\|/)net1?\.exe' AND LOWER("Process CommandLine") LIKE '%time%')
    OR LOWER("Process Name") MATCHES '.*(\\\\|/)w32tm\.exe'
    OR (LOWER("Process Name") MATCHES '.*(\\\\|/)timedatectl' AND LOWER("Process CommandLine") MATCHES '.*(status|show|timesync).*')
    OR (LOWER("Process Name") MATCHES '.*(\\\\|/)systemsetup' AND LOWER("Process CommandLine") MATCHES '.*(-gettimezone|-getnetworktimeserver).*')
    OR (LOWER("Process CommandLine") MATCHES '.*esxcli.*system.*clock.*')
  )
  AND LAST 24 HOURS
ORDER BY starttime DESC

low severity medium confidence

Data Sources

Windows Security Event Log Sysmon via QRadar DSM Linux OS logs

Required Tables

events

False Positives

Domain-joined workstations running net time against a domain controller as part of normal Kerberos pre-authentication clock sync procedures
Windows Time Service (W32Time) itself logging w32tm.exe process activity during scheduled NTP synchronization cycles
Linux infrastructure automation tools (Ansible, Chef, Puppet) invoking timedatectl to verify or set system time during provisioning runbooks

Sumo Logic CSE

sql

(_sourceCategory="os/windows/sysmon" OR _sourceCategory="os/windows/security")
| where EventID in ("1", "4688")
| parse field=CommandLine "*" as command_line nodrop
| parse field=Image "*" as image_path nodrop
| parse field=ParentImage "*" as parent_image nodrop
| where (
    (matches(toLowerCase(image_path), ".*\\\\net\.exe") and matches(toLowerCase(command_line), ".*\btime\b.*"))
    or (matches(toLowerCase(image_path), ".*\\\\net1\.exe") and matches(toLowerCase(command_line), ".*\btime\b.*"))
    or matches(toLowerCase(image_path), ".*\\\\w32tm\.exe")
    or (matches(toLowerCase(image_path), ".*\\\\timedatectl") and matches(toLowerCase(command_line), ".*(status|show|timesync-status).*"))
    or (matches(toLowerCase(image_path), ".*\\\\systemsetup") and matches(toLowerCase(command_line), ".*(gettimezone|getnetworktimeserver).*"))
    or matches(toLowerCase(command_line), ".*esxcli.*system.*clock.*")
  )
| eval is_remote_time = if(matches(toLowerCase(command_line), ".*net1?\.exe.*\btime\b.*\\\\\\\\.+"), 1, 0)
| eval is_timezone_query = if(matches(toLowerCase(command_line), ".*(/tz|/query|timezone|gettimezone).*"), 1, 0)
| eval is_uptime_query = if(matches(toLowerCase(command_line), ".*(stripchart|gettickcount|uptime).*"), 1, 0)
| eval suspicious_parent = if(matches(toLowerCase(parent_image), ".*(powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32).*"), 1, 0)
| eval suspicion_score = is_remote_time + is_timezone_query + is_uptime_query + suspicious_parent
| where suspicion_score > 0
| fields _messageTime, Computer, User, image_path, command_line, parent_image, is_remote_time, is_timezone_query, is_uptime_query, suspicious_parent, suspicion_score
| sort by _messageTime desc

low severity medium confidence

Data Sources

Sysmon (Windows) Windows Security Event Log Linux syslog with auditd

Required Tables

_sourceCategory=os/windows/sysmon _sourceCategory=os/windows/security

False Positives

IT helpdesk scripts that query net time against domain controllers to diagnose Kerberos authentication failures caused by clock skew exceeding the 5-minute tolerance
Backup software agents that verify system time prior to initiating backup jobs to ensure accurate timestamp metadata on backup archives
Security baseline scanning tools (CIS-CAT, SCAP scanners) that query timedatectl or w32tm as part of configuration compliance assessments

Google Chronicle / SecOps

yaral

rule t1124_system_time_discovery {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects MITRE ATT&CK T1124 System Time Discovery via common time-querying binaries"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1124"
    severity = "LOW"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.principal.process.file.full_path, `(?i)(\\|/)net1?\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)\btime\b`)
      ) or
      re.regex($e.target.process.file.full_path, `(?i)(\\|/)w32tm\.exe$`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)timedatectl$`) and
        re.regex($e.target.process.command_line, `(?i)(status|show|timesync-status)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)systemsetup$`) and
        re.regex($e.target.process.command_line, `(?i)(-gettimezone|-getnetworktimeserver)`)
      ) or
      re.regex($e.target.process.command_line, `(?i)esxcli\s+system\s+clock`)
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_path = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path
    $is_remote_query = if(
      re.regex($e.target.process.command_line, `(?i)net1?\.exe.*\btime\b.*\\\\`),
      "true", "false"
    )
    $is_timezone_query = if(
      re.regex($e.target.process.command_line, `(?i)(/tz|/query|timezone|gettimezone)`),
      "true", "false"
    )
    $suspicious_parent = if(
      re.regex($e.principal.process.file.full_path, `(?i)(powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32)\.exe`),
      "true", "false"
    )

  condition:
    $e
}

low severity high confidence

Data Sources

Chronicle UDM (Unified Data Model) Windows Event Logs via Chronicle forwarder Endpoint telemetry via Chronicle agents

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Group Policy processing by svchost.exe or gpscript.exe invoking net time against domain controllers during logon script execution
Legitimate system administration via remote management tools (PsExec, WinRM) where an admin runs w32tm /resync remotely on servers during maintenance windows
EDR or asset management agents that enumerate system time during periodic inventory collection to detect configuration drift

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\|\/)((net1?\.exe)|(w32tm\.exe)|(timedatectl)|(systemsetup))$/
| CommandLine = /.+/
| case {
    ImageFileName = /(?i)net1?\.exe/ AND CommandLine = /(?i)\btime\b/ | IsNetTime := "true";
    * | IsNetTime := "false"
  }
| case {
    CommandLine = /(?i)net1?\.exe.*\btime\b.*\\\\/ | IsRemoteTimeQuery := "true";
    * | IsRemoteTimeQuery := "false"
  }
| case {
    ImageFileName = /(?i)w32tm\.exe/ | IsW32tmQuery := "true";
    * | IsW32tmQuery := "false"
  }
| case {
    CommandLine = /(?i)(\/tz|\/query|timezone|gettimezone)/ | IsTimezoneQuery := "true";
    * | IsTimezoneQuery := "false"
  }
| case {
    CommandLine = /(?i)(stripchart|gettickcount|uptime)/ | IsUptimeQuery := "true";
    * | IsUptimeQuery := "false"
  }
| case {
    ParentBaseFileName = /(?i)(powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32)\.exe/ | SuspiciousParent := "true";
    * | SuspiciousParent := "false"
  }
| SuspicionScore :=
    if(IsNetTime = "true", 1, 0) +
    if(IsRemoteTimeQuery = "true", 1, 0) +
    if(IsW32tmQuery = "true", 1, 0) +
    if(IsTimezoneQuery = "true", 1, 0) +
    if(IsUptimeQuery = "true", 1, 0) +
    if(SuspiciousParent = "true", 1, 0)
| SuspicionScore > 0
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, IsNetTime, IsRemoteTimeQuery, IsW32tmQuery, IsTimezoneQuery, IsUptimeQuery, SuspiciousParent, SuspicionScore])
| sort(field=@timestamp, order=desc)

low severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2) Falcon Complete / Insight telemetry

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Windows NTP client (W32Time service) spawning w32tm.exe for scheduled synchronization appearing as w32tm /resync /force under svchost.exe
Enterprise monitoring platforms (SolarWinds, SCOM) executing net time periodically against servers to detect and alert on clock drift before it impacts authentication services
DevOps CI/CD pipeline agents running timedatectl or net time as a pre-flight check to ensure consistent timestamps on build artifacts and code signing operations

System Time Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections