# Time Based Evasion

Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.

Adversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: Scheduled Task/Job). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled Multi-Stage Channels to avoid analysis and scrutiny.

**Example**

Ok so I won't put an example on this one but I will point you to an article that is great in explaining a recent attack (SolarWinds) as of time of writing this, in short what happened here the Malware waited for 2 weeks!!, before executing and running its malicious code to evade defenses, a legitimate software running normally without executing no malicious connections immediately like many others this one actually waited for 2 weeks. Take a good read at what happen as this one is great, just as mentioned before Tasks/Jobs are good for this demo.

References:

{% embed url="<https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/>" %}

{% embed url="<https://redtape.substack.com/p/solarwinds-hack-what-we-know-and>" %}

[Animated SolarWinds Breach Attack Flow - EP1](https://www.youtube.com/watch?v=b67Onrkj7PM)