T1497.003 IBM QRadar · QRadar

Detect Time Based Checks in IBM QRadar

Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. This includes using GetTickCount and GetSystemTimeAsFileTime to detect time acceleration in sandboxes, implementing long sleep delays (minutes to hours) to outlast sandbox analysis timeouts, checking system uptime to verify the machine has been running for a reasonable period, computing execution timing differences before and after sleep to detect sandbox time manipulation, and using API hammering (excessive printf or I/O calls) to delay execution. Notable examples include SUNBURST (2-week dormancy), Ursnif (30-minute delay), Bumblebee (hardcoded and randomized sleep intervals), and TrickBot (printf-based API hammering).

MITRE ATT&CK

Tactic
Defense Evasion Discovery
Technique
T1497 Virtualization/Sandbox Evasion
Sub-technique
T1497.003 Time Based Checks
Canonical reference
https://attack.mitre.org/techniques/T1497/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip AS host_ip,
  username,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  "ParentCommandLine" AS parent_command_line,
  CASE
    WHEN "CommandLine" MATCHES '(?i).*(gettickcount|getsystemtimeasfiletime|queryperformancecounter|ntquerysystemtime|timegettime|getsystemtime).*' THEN 2
    ELSE 0
  END +
  CASE
    WHEN "Image" MATCHES '(?i).*\\timeout\.exe$' AND "CommandLine" MATCHES '(?i).*\/t\s+\d{3,}.*' THEN 2
    ELSE 0
  END +
  CASE
    WHEN "Image" MATCHES '(?i).*\\ping\.exe$' AND "CommandLine" MATCHES '.*-n\s+\d{3,}\s+127\.0\.0\.1.*' THEN 2
    ELSE 0
  END +
  CASE
    WHEN "CommandLine" MATCHES '(?i).*(start-sleep|wscript\.sleep|thread\.sleep).*' THEN 1
    ELSE 0
  END +
  CASE
    WHEN "CommandLine" MATCHES '(?i).*(lastbootuptime|boot time|net statistics).*' THEN 1
    ELSE 0
  END AS suspicion_score
FROM events
WHERE
  starttime > NOW() - 86400
  AND (
    "CommandLine" MATCHES '(?i).*(gettickcount|getsystemtimeasfiletime|queryperformancecounter|ntquerysystemtime|timegettime|getsystemtime).*'
    OR ("Image" MATCHES '(?i).*\\timeout\.exe$' AND "CommandLine" IMATCHES '%/t %')
    OR ("Image" MATCHES '(?i).*\\ping\.exe$' AND "CommandLine" IMATCHES '%-n % 127.0.0.1%')
    OR "CommandLine" MATCHES '(?i).*(start-sleep|wscript\.sleep|thread\.sleep).*'
    OR "CommandLine" MATCHES '(?i).*(lastbootuptime|boot time|net statistics).*'
  )
HAVING suspicion_score > 0
ORDER BY starttime DESC
LAST 24 HOURS
medium severity medium confidence

QRadar AQL query detecting T1497.003 time-based evasion techniques by parsing Sysmon EventID 1 (Process Create) fields extracted via the QRadar Sysmon DSM. Applies a composite suspicion score across timing API usage, long sleep patterns, scripting sleep calls, and uptime enumeration. Requires the Microsoft Windows Sysmon DSM to be installed and configured to extract Image and CommandLine fields.

Data Sources

Windows Sysmon via QRadar Sysmon DSM (EventID 1)Windows Security Event Log (EventID 4688) with process command-line auditing enabled

Required Tables

events

False Positives & Tuning

  • Administrative PowerShell scripts querying net statistics server or net statistics workstation for uptime dashboards
  • Software deployment tools (SCCM, PDQ Deploy) using timeout.exe or ping-based delays between installation phases
  • Developers referencing QueryPerformanceCounter or GetTickCount in build pipeline or profiling scripts
Download portable Sigma rule (.yml)

Other platforms for T1497.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Extended timeout delay for sandbox evasion

    Expected signal: Sysmon Event ID 1: Process Create for timeout.exe with '/t 180' argument. The process will be visible in task list for the duration of the delay. Security Event ID 4688 with command line.

  2. Test 2Ping-based sleep for sandbox evasion

    Expected signal: Sysmon Event ID 1: Process Create for ping.exe with '-n 300 127.0.0.1' arguments. Sysmon Event ID 3: Network Connection events to 127.0.0.1 (loopback).

  3. Test 3WMI uptime check for sandbox detection

    Expected signal: Sysmon Event ID 1: Process Create for wmic.exe with 'os get lastbootuptime' arguments. WMI Operational log entry for Win32_OperatingSystem query.

Last updated: 2026-04-14 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1497.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1497Virtualization/Sandbox Evasion

Related Sub-techniques

T1497.001System ChecksT1497.002User Activity Based Checks

Related Techniques

T1497Virtualization/Sandbox EvasionT1497.001System ChecksT1497.002User Activity Based ChecksT1029Scheduled TransferT1059Command and Scripting InterpreterT1082System Information Discovery

Same Tactic: Defense Evasion

Popular Detections