Discovery of a System Time
Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
Sigma rule (View on GitHub)
1title: Discovery of a System Time
2id: b243b280-65fe-48df-ba07-6ddea7646427
3status: test
4description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
5references:
6 - https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md
8author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
9date: 2019-10-24
10modified: 2022-06-28
11tags:
12 - attack.discovery
13 - attack.t1124
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_time:
19 Image|endswith:
20 - '\net.exe'
21 - '\net1.exe'
22 CommandLine|contains: 'time'
23 selection_w32tm:
24 Image|endswith: '\w32tm.exe'
25 CommandLine|contains: 'tz'
26 condition: 1 of selection_*
27falsepositives:
28 - Legitimate use of the system utilities to discover system time for legitimate reason
29level: low
References
-
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Cisco Discovery
- Use of W32tm as Timer
- System Time Lookup
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript