# Time Based Evasion

Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.

Adversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: Scheduled Task/Job). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled Multi-Stage Channels to avoid analysis and scrutiny.

**Example**

Ok so I won't put an example on this one but I will point you to an article that is great in explaining a recent attack (SolarWinds) as of time of writing this, in short what happened here the Malware waited for 2 weeks!!, before executing and running its malicious code to evade defenses, a legitimate software running normally without executing no malicious connections immediately like many others this one actually waited for 2 weeks. Take a good read at what happen as this one is great, just as mentioned before Tasks/Jobs are good for this demo.

References:

{% embed url="<https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/>" %}

{% embed url="<https://redtape.substack.com/p/solarwinds-hack-what-we-know-and>" %}

[Animated SolarWinds Breach Attack Flow - EP1](https://www.youtube.com/watch?v=b67Onrkj7PM)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1497-virtualization-sandbox-evasion/time-based-evasion.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.