Discovery of a Remote System’s Time

Identifies use of various commands to query a remote system’s time. This technique may be used before executing a scheduled task or to discover the time zone of a target system

id:fcdb99c2-ac3c-4bde-b664-4b336329bed2
categories:detect
confidence:low
os:windows
created:11/30/2018
updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Discovery
techniques:T1124 System Time Discovery

Query

process where subtype.create and process_name == "net.exe" and
  command_line == "* time *" and command_line == "*\\\\*"
| unique parent_process_path, command_line

Contributors