T1124 CrowdStrike LogScale · LogScale

Detect System Time Discovery in CrowdStrike LogScale

Adversaries may gather the system time and/or time zone settings from a local or remote system. System time is commonly queried to support time-bomb payloads (activating only after a preset date), sandbox evasion (detecting analysis environments via uptime or timestamp checks), encryption key generation seeded with timestamps, and victim targeting based on locale inference from timezone. Common methods include net time, w32tm /tz, GetSystemTime(), GetTickCount(), timedatectl, systemsetup -gettimezone, and ESXi-specific commands like esxcli system clock get. Malware families including Shamoon, ShrinkLocker, EvilBunny, Zebrocy, and Taidoor have all used system time queries for these purposes.

MITRE ATT&CK

Tactic
Discovery
Technique
T1124 System Time Discovery
Canonical reference
https://attack.mitre.org/techniques/T1124/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\|\/)((net1?\.exe)|(w32tm\.exe)|(timedatectl)|(systemsetup))$/
| CommandLine = /.+/
| case {
    ImageFileName = /(?i)net1?\.exe/ AND CommandLine = /(?i)\btime\b/ | IsNetTime := "true";
    * | IsNetTime := "false"
  }
| case {
    CommandLine = /(?i)net1?\.exe.*\btime\b.*\\\\/ | IsRemoteTimeQuery := "true";
    * | IsRemoteTimeQuery := "false"
  }
| case {
    ImageFileName = /(?i)w32tm\.exe/ | IsW32tmQuery := "true";
    * | IsW32tmQuery := "false"
  }
| case {
    CommandLine = /(?i)(\/tz|\/query|timezone|gettimezone)/ | IsTimezoneQuery := "true";
    * | IsTimezoneQuery := "false"
  }
| case {
    CommandLine = /(?i)(stripchart|gettickcount|uptime)/ | IsUptimeQuery := "true";
    * | IsUptimeQuery := "false"
  }
| case {
    ParentBaseFileName = /(?i)(powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32)\.exe/ | SuspiciousParent := "true";
    * | SuspiciousParent := "false"
  }
| SuspicionScore :=
    if(IsNetTime = "true", 1, 0) +
    if(IsRemoteTimeQuery = "true", 1, 0) +
    if(IsW32tmQuery = "true", 1, 0) +
    if(IsTimezoneQuery = "true", 1, 0) +
    if(IsUptimeQuery = "true", 1, 0) +
    if(SuspiciousParent = "true", 1, 0)
| SuspicionScore > 0
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, IsNetTime, IsRemoteTimeQuery, IsW32tmQuery, IsTimezoneQuery, IsUptimeQuery, SuspiciousParent, SuspicionScore])
| sort(field=@timestamp, order=desc)
low severity high confidence

CrowdStrike LogScale (Falcon) CQL query detecting T1124 System Time Discovery using ProcessRollup2 events from the Falcon sensor. Identifies time-discovery binaries (net.exe, net1.exe, w32tm.exe, timedatectl, systemsetup) and enriches events with suspicion scoring covering remote time queries, timezone enumeration, uptime checks, and execution from suspicious parent processes.

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2)Falcon Complete / Insight telemetry

Required Tables

#event_simpleName=ProcessRollup2

False Positives & Tuning

  • Windows NTP client (W32Time service) spawning w32tm.exe for scheduled synchronization appearing as w32tm /resync /force under svchost.exe
  • Enterprise monitoring platforms (SolarWinds, SCOM) executing net time periodically against servers to detect and alert on clock drift before it impacts authentication services
  • DevOps CI/CD pipeline agents running timedatectl or net time as a pre-flight check to ensure consistent timestamps on build artifacts and code signing operations
Download portable Sigma rule (.yml)

Other platforms for T1124

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Local System Time Query via net time

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe, CommandLine='net time'. Security Event ID 4688 (if command line auditing enabled). Parent process will be cmd.exe or the test runner.

  2. Test 2Timezone and Time Source Discovery via w32tm

    Expected signal: Sysmon Event ID 1: Two Process Create events — w32tm.exe with CommandLine 'w32tm /tz' and 'w32tm /query /status'. Security Event ID 4688 for each invocation if audit process creation is enabled.

  3. Test 3Remote System Time Discovery via net time with hostname

    Expected signal: Sysmon Event ID 1: Process Create with Image=net.exe, CommandLine containing 'net time \\<hostname>'. Sysmon Event ID 3: Network connection to the target host on port 445 (SMB). Security Event ID 4688 if audit policy is configured.

  4. Test 4System Time Discovery via PowerShell (Scripted Discovery Simulation)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing '[DateTime]::UtcNow', '[Environment]::TickCount', and '[System.TimeZoneInfo]'. PowerShell ScriptBlock Logging Event ID 4104 captures the full script. Sysmon Event ID 11: File Create for df00tech-time.txt in %TEMP%.

Last updated: 2026-04-18 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1124 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1033System Owner/User DiscoveryT1082System Information DiscoveryT1016System Network Configuration DiscoveryT1497Virtualization/Sandbox EvasionT1497.001System ChecksT1053Scheduled Task/JobT1614System Location DiscoveryT1059.001PowerShellT1059.003Windows Command ShellT1485Data Destruction

Same Tactic: Discovery

Popular Detections