PT Network Attack Discovery

Helps reconstruct the attack timeline and understand the sources and scale of threats

T1124: System Time Discovery

An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or systemsetup on macOS. These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.

System time information may be gathered in a number of ways, such as with Net on Windows by performing net time \hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. In addition, adversaries can discover device uptime through functions such as GetTickCount() to determine how long it has been since the system booted up.

On network devices, Network Device CLI commands such as show clock detail can be used to see the current time configuration.

In addition, system calls – such as time() – have been used to collect the current time on Linux devices. On macOS systems, adversaries may use commands such as systemsetup -gettimezone or timeIntervalSinceNow to gather current time zone information or current date and time.

This information could be useful for performing other techniques, such as executing a file with a Scheduled Task/Job, or to discover locality information based on time zone to assist in victim targeting (i.e. System Location Discovery). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.

Positive Technologies products that cover the technique

Detection

PT NAD contains rules detecting requests for system information via the MWI interface including the rule detecting requests to the Win32_OperatingSystem class. This allows to discover requests for the LocalDateTime field, which represents the local system time, but the operator should verify the required field in the attack card.

Examples of PT NAD detection rules

  • ATTACK [PTsecurity] WMI OS info enumeration via WQL (sid 10008791)
  • ATTACK [PTsecurity] Enumeration query via WQL (sid 10005804)

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes that may gather the system time and/or time zone from a local or remote system.

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for API calls that may gather the system time and/or time zone from a local or remote system. Remote access tools with built-in features may interact directly with the Windows API to gather information.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments for actions that may gather the system time and/or time zone from a local or remote system.