title: System Time Discovery (T1124)
id: df00tech-t1124
status: experimental
description: "Adversaries may gather the system time and/or time zone settings from a local or remote system. System time is commonly queried to support time-bomb payloads (activating only after a preset date), sandbox evasion (detecting analysis environments via uptime or timestamp checks), encryption key generation seeded with timestamps, and victim targeting based on locale inference from timezone. Common methods include net time, w32tm /tz, GetSystemTime(), GetTickCount(), timedatectl, systemsetup -gettimezone, and ESXi-specific commands like esxcli system clock get. Malware families including Shamoon, ShrinkLocker, EvilBunny, Zebrocy, and Taidoor have all used system time queries for these purposes."
references:
  - https://attack.mitre.org/techniques/T1124/
  - https://df00tech.com/detections/T1124
author: df00tech
date: 2026/04/18
tags:
  - attack.t1124
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "NTP monitoring tools and network management platforms (SolarWinds, PRTG, Nagios) that routinely query system time for drift detection"
  - "IT automation scripts (Ansible, PowerShell DSC, SCCM) that check system time before applying scheduled changes or patches"
  - Software installations and license managers that validate the system clock before activating features or checking certificate expiry
  - Backup and replication agents that synchronize timestamps across systems or verify time consistency before initiating jobs
  - Security tools and SIEMs that query w32tm for time-sync audit compliance checks
level: low