System Time Lookup

calendar Jan 9, 2023 · attack.discovery attack.t1124  ·
Share on: linkedin copy

Detects use of time to look up the system time as part of host discovery

Sigma rule (View on GitHub)

 1title: System Time Lookup
 2id: 9bd28cfc-143f-4df2-9a13-968e31aa12de
 3status: Experimental
 4description: Detects use of time to look up the system time as part of host discovery
 5author: _pete_0, TheDFIRReport
 6references:
 7  - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/time
 8  - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts
 9date: 2023/01/08
10logsource:
11  category: process_creation
12  product: windows
13detection:
14  selection:
15    CommandLine|contains|all:
16      - '/c'
17      - 'time'
18    Image|endswith:
19      - '\cmd.exe'
20  condition: selection
21fields:
22  - CommandLine
23falsepositives:
24  - Unknown
25level: high
26tags:
27  - attack.discovery
28  - attack.t1124

References

  • time

    Reference article for the time command, which displays or sets the system time.


    Read More

  • Unwrapping Ursnifs Gifts

    In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the env…


    Read More

Related rules

to-top