Detect System Time Discovery in Google Chronicle
Adversaries may gather the system time and/or time zone settings from a local or remote system. System time is commonly queried to support time-bomb payloads (activating only after a preset date), sandbox evasion (detecting analysis environments via uptime or timestamp checks), encryption key generation seeded with timestamps, and victim targeting based on locale inference from timezone. Common methods include net time, w32tm /tz, GetSystemTime(), GetTickCount(), timedatectl, systemsetup -gettimezone, and ESXi-specific commands like esxcli system clock get. Malware families including Shamoon, ShrinkLocker, EvilBunny, Zebrocy, and Taidoor have all used system time queries for these purposes.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1124 System Time Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1124/
YARA-L Detection Query
rule t1124_system_time_discovery {
meta:
author = "Argus Detection Engineering"
description = "Detects MITRE ATT&CK T1124 System Time Discovery via common time-querying binaries"
mitre_attack_tactic = "Discovery"
mitre_attack_technique = "T1124"
severity = "LOW"
confidence = "HIGH"
version = "1.0"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
(
re.regex($e.principal.process.file.full_path, `(?i)(\\|/)net1?\.exe$`) and
re.regex($e.target.process.command_line, `(?i)\btime\b`)
) or
re.regex($e.target.process.file.full_path, `(?i)(\\|/)w32tm\.exe$`) or
(
re.regex($e.target.process.file.full_path, `(?i)(\\|/)timedatectl$`) and
re.regex($e.target.process.command_line, `(?i)(status|show|timesync-status)`)
) or
(
re.regex($e.target.process.file.full_path, `(?i)(\\|/)systemsetup$`) and
re.regex($e.target.process.command_line, `(?i)(-gettimezone|-getnetworktimeserver)`)
) or
re.regex($e.target.process.command_line, `(?i)esxcli\s+system\s+clock`)
)
match:
$e.principal.hostname over 5m
outcome:
$hostname = $e.principal.hostname
$username = $e.principal.user.userid
$process_path = $e.target.process.file.full_path
$command_line = $e.target.process.command_line
$parent_process = $e.principal.process.file.full_path
$is_remote_query = if(
re.regex($e.target.process.command_line, `(?i)net1?\.exe.*\btime\b.*\\\\`),
"true", "false"
)
$is_timezone_query = if(
re.regex($e.target.process.command_line, `(?i)(/tz|/query|timezone|gettimezone)`),
"true", "false"
)
$suspicious_parent = if(
re.regex($e.principal.process.file.full_path, `(?i)(powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32)\.exe`),
"true", "false"
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1124 System Time Discovery. Matches process launch events in UDM where time-discovery binaries (net.exe, net1.exe, w32tm.exe, timedatectl, systemsetup) are executed, with outcome fields enriching the alert with remote query indicators, timezone query flags, and suspicious parent process identification.
Data Sources
Required Tables
False Positives & Tuning
- Group Policy processing by svchost.exe or gpscript.exe invoking net time against domain controllers during logon script execution
- Legitimate system administration via remote management tools (PsExec, WinRM) where an admin runs w32tm /resync remotely on servers during maintenance windows
- EDR or asset management agents that enumerate system time during periodic inventory collection to detect configuration drift
Other platforms for T1124
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Local System Time Query via net time
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe, CommandLine='net time'. Security Event ID 4688 (if command line auditing enabled). Parent process will be cmd.exe or the test runner.
- Test 2Timezone and Time Source Discovery via w32tm
Expected signal: Sysmon Event ID 1: Two Process Create events — w32tm.exe with CommandLine 'w32tm /tz' and 'w32tm /query /status'. Security Event ID 4688 for each invocation if audit process creation is enabled.
- Test 3Remote System Time Discovery via net time with hostname
Expected signal: Sysmon Event ID 1: Process Create with Image=net.exe, CommandLine containing 'net time \\<hostname>'. Sysmon Event ID 3: Network connection to the target host on port 445 (SMB). Security Event ID 4688 if audit policy is configured.
- Test 4System Time Discovery via PowerShell (Scripted Discovery Simulation)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing '[DateTime]::UtcNow', '[Environment]::TickCount', and '[System.TimeZoneInfo]'. PowerShell ScriptBlock Logging Event ID 4104 captures the full script. Sysmon Event ID 11: File Create for df00tech-time.txt in %TEMP%.
References (10)
- https://attack.mitre.org/techniques/T1124/
- https://technet.microsoft.com/windows-server-docs/identity/ad-ds/get-started/windows-time-service/windows-time-service-tools-and-settings
- https://msdn.microsoft.com/ms724961.aspx
- https://any.run/cybersecurity-blog/time-bombs-malware-with-delayed-execution/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_net_time.yml
- https://www.picussecurity.com/resource/virtualization/sandbox-evasion-how-attackers-avoid-malware-analysis
- https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/
- https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/
Unlock Pro Content
Get the full detection package for T1124 including response playbook, investigation guide, and atomic red team tests.