legitimate use of the system utilities to discover system time for legitimate reason

t1124
windows
sigma

Techniques

t1124

Sample rules

Discovery of a System Time

source: sigma
technicques:
- t1124

Description

Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.

Detection logic

condition: 1 of selection_*
selection_time:
  CommandLine|contains: time
  Image|endswith:
  - \net.exe
  - \net1.exe
selection_w32tm:
  CommandLine|contains: tz
  Image|endswith: \w32tm.exe