title: Time Based Checks (T1497.003)
id: df00tech-t1497-003
status: experimental
description: "Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. This includes using GetTickCount and GetSystemTimeAsFileTime to detect time acceleration in sandboxes, implementing long sleep delays (minutes to hours) to outlast sandbox analysis timeouts, checking system uptime to verify the machine has been running for a reasonable period, computing execution timing differences before and after sleep to detect sandbox time manipulation, and using API hammering (excessive printf or I/O calls) to delay execution. Notable examples include SUNBURST (2-week dormancy), Ursnif (30-minute delay), Bumblebee (hardcoded and randomized sleep intervals), and TrickBot (printf-based API hammering)."
references:
  - https://attack.mitre.org/techniques/T1497/003/
  - https://df00tech.com/detections/T1497.003
author: df00tech
date: 2026/04/14
tags:
  - attack.t1497.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Batch scripts using timeout or ping for legitimate delays between operations
  - PowerShell scripts with Start-Sleep for pacing API calls to avoid rate limiting
  - System monitoring tools that check uptime as part of health reporting
  - Application installers that pause between installation phases
level: medium