T1124: System Time Discovery

An adversary may gather the system time and/or time zone form a local or remote system. The system is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.

System time information may be gathered in a number of ways, such as with Net on Windows by performing net time \hostname to gather the system time on a remote system. The victims time zone may also be inferred from the current system time or gathered by using w32tm /tz. The information could be useful for performing other techniques, such as executing a file with a Scheduled Task/Job, or to discover locality information based on time zone to assist in victim targeting.

Example

We will use the 2 utilities talked about on this technique to check the time on the host (This can also be done remotely but will require Administrator Privileges)

W32tm /tz

Net time