Discovery of a Remote System’s Time¶
Identifies use of various commands to query a remote system’s time. This technique may be used before executing a scheduled task or to discover the time zone of a target system
id: | fcdb99c2-ac3c-4bde-b664-4b336329bed2 |
---|---|
categories: | detect |
confidence: | low |
os: | windows |
created: | 11/30/2018 |
updated: | 11/30/2018 |
Query¶
process where subtype.create and process_name == "net.exe" and
command_line == "* time *" and command_line == "*\\\\*"
| unique parent_process_path, command_line