System time discovery identified

About the rule

Rule Type

Standard

Rule Description

Adversaries may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.

Why this rule?

Adversaries query system time to coordinate actions, evade detection by timing their activities, or establish synchronization for distributed attacks. This reconnaissance technique helps attackers understand the victim environment and can indicate early-stage attack preparation. Monitoring time discovery attempts provides visibility into potential adversary reconnaissance activities.

Severity

Attention

Rule journey

Attack chain scenario

Initial Access → Execution → Discovery → System Time Discovery → Coordination of time-sensitive malicious tasks or lateral movement.

Impact

1. Adversaries use time information to plan scheduled tasks.
2. Synchronization of attacks across multiple systems in the network.
3. Evasion of time-based security controls.

Rule Requirement

Prerequisites

Enable Process Creation auditing (Event ID 4688) or Sysmon Event ID 1. Ensure command-line logging is enabled to capture arguments like "time".

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Discovery: System Time Discovery (T1124)

Future actions

Known False Positives

Administrative troubleshooting scripts, legitimate time synchronization monitoring, or automated system maintenance tasks that check local time.

Next Steps

1. Identification: Identify the user and process that executed the time discovery command.
2. Analysis: Check if the command was executed on a local system or directed toward a remote domain controller.
3. Response: If the activity is part of an unapproved script, investigate the source process for further discovery commands.