The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)An adversary may gather the system time and/or time zone from a local or remote system. This information may be gathered in a number of ways, such as with Net on Windows by performing
net time \hostnameto gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by usingw32tm /tz. (Citation: Technet Windows Time Service) The information could be useful for performing other techniques, such as executing a file with a Scheduled Task (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting.Detection: Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software.
Platforms: Windows
Data Sources: Process monitoring, Process command-line parameters, API monitoring
Permissions Required: User
Identify the system time
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| computer_name | computer name to query | string | computer1 |
net time \\#{computer_name}
w32tm /tz
Identify the system time via PowerShell
Supported Platforms: Windows
Get-Date