Try it using Invoke-Atomic

System Time Discovery

Description from ATT&CK

An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time)(Citation: Technet Windows Time Service)

System time information may be gathered in a number of ways, such as with Net on Windows by performing net time \hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.(Citation: Technet Windows Time Service)

On network devices, Network Device CLI commands such as

1
show clock detail
can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd)

This information could be useful for performing other techniques, such as executing a file with a Scheduled Task/Job(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. System Location Discovery). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)

Atomic Tests

Atomic Test #1 - System Time Discovery

Identify the system time. Upon execution, the local computer system time and timezone will be displayed.

Supported Platforms: windows

auto_generated_guid: 20aba24b-e61f-4b26-b4ce-4784f763ca20

Inputs:

Name Description Type Default Value
computer_name computer name to query string localhost

Attack Commands: Run with command_prompt!

1
2
3
net time \\#{computer_name}
w32tm /tz

Atomic Test #2 - System Time Discovery - PowerShell

Identify the system time via PowerShell. Upon execution, the system time will be displayed.

Supported Platforms: windows

auto_generated_guid: 1d5711d6-655c-4a47-ae9c-6503c74fa877

Inputs:

None

Attack Commands: Run with powershell!

1
2
Get-Date

Atomic Test #3 - System Time Discovery in FreeBSD/macOS

Identify system time. Upon execution, the local computer system time and timezone will be displayed.

Supported Platforms: freebsd,macos

auto_generated_guid: f449c933-0891-407f-821e-7916a21a1a6f

Inputs:

None

Attack Commands: Run with sh!

1
2
date

Atomic Test #4 - System Time Discovery W32tm as a Delay

identifies DCRat delay time tactics using w32tm. https://research.splunk.com/endpoint/b2cc69e7-11ba-42dc-a269-59c069a48870/ https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains

Supported Platforms: windows

auto_generated_guid: d5d5a6b0-0f92-42d8-985d-47aafa2dd4db

Inputs:

None

Attack Commands: Run with command_prompt!

1
2
W32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Atomic Test #5 - System Time with Windows time Command

Displays the current system time via the Windows builtin time command: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/time Recently observed in use in the wild during an incident involving Ursnif malware: https://github.com/The-DFIR-Report/Sigma-Rules/blob/dc72f0b557fc63347379be0a33439788256761c8/rules/windows/process_creation/proc_creation_win_system_time_lookup.yml https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/

Supported Platforms: windows

auto_generated_guid: 53ead5db-7098-4111-bb3f-563be390e72e

Inputs:

None

Attack Commands: Run with command_prompt!

1
2
time

source