Find sigma rule

Attack: System Time Discovery

An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or systemsetup on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)

System time information may be gathered in a number of ways, such as with Net on Windows by performing net time \\hostname to gather the system time on a remote system. The victim’s time zone may also be inferred from the current system time or gathered by using w32tm /tz.(Citation: Technet Windows Time Service) In addition, adversaries can discover device uptime through functions such as GetTickCount() to determine how long it has been since the system booted up.(Citation: Virtualization/Sandbox Evasion)

On network devices, Network Device CLI commands such as show clock detail can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd)

In addition, system calls – such as time() – have been used to collect the current time on Linux devices.(Citation: MAGNET GOBLIN) On macOS systems, adversaries may use commands such as systemsetup -gettimezone or timeIntervalSinceNow to gather current time zone information or current date and time.(Citation: System Information Discovery Technique)(Citation: ESET DazzleSpy Jan 2022)

This information could be useful for performing other techniques, such as executing a file with a Scheduled Task/Job(Citation: RSA EU12 They’re Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. System Location Discovery). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)

MITRE

Tactic

discovery

technique

T1124

Test : System Time Discovery W32tm as a Delay

OS

windows

Description:

identifies DCRat delay time tactics using w32tm. https://research.splunk.com/endpoint/b2cc69e7-11ba-42dc-a269-59c069a48870/ https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains

Executor

command_prompt

Sigma Rule

proc_creation_win_w32tm.yml (id: 6da2c9f5-7c53-401b-aacb-92c040ce1215)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test