T1497.003
Time Based Evasion
Description from ATT&CK
Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
Adversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: Scheduled Task/Job). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled Multi-Stage Channels to avoid analysis and scrutiny.(Citation: Deloitte Environment Awareness)
Benign commands or other operations may also be used to delay malware execution. Loops or otherwise needless repetitions of commands, such as Pings, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.(Citation: Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API hammering, involves making various calls to Native API functions in order to delay execution (while also potentially overloading analysis environments with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)
Adversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)
Atomic Tests
Atomic Test #1 - Delay execution with ping
Uses the ping command to introduce a delay before executing a malicious payload.
Supported Platforms: linux,macos
auto_generated_guid: 8b87dd03-8204-478c-bac3-3959f6528de3
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
evil_command | Command to run after the delay | string | whoami |
ping_count | Number of ping requests to send (higher counts increase the delay) | integer | 250 |
Attack Commands: Run with sh!
1
2
ping -c #{ping_count} 8.8.8.8 > /dev/null
#{evil_command}