Time Based Evasion

Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.

Adversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: Scheduled Task/Job). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled Multi-Stage Channels to avoid analysis and scrutiny.

Example

Ok so I won't put an example on this one but I will point you to an article that is great in explaining a recent attack (SolarWinds) as of time of writing this, in short what happened here the Malware waited for 2 weeks!!, before executing and running its malicious code to evade defenses, a legitimate software running normally without executing no malicious connections immediately like many others this one actually waited for 2 weeks. Take a good read at what happen as this one is great, just as mentioned before Tasks/Jobs are good for this demo.

References:

Animated SolarWinds Breach Attack Flow - EP1

Last updated