Home/ATT&CK Technique/Time Based Checks
ATT&CK Technique

Time Based Checks

T1497.003 · stealth, discovery

Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. This may include enumerating time-based properties, such as uptime or the system clock. Adversaries may use calls like GetTickCount and GetSystemTimeAsFileTime to discover if they are operating within a virtual machine or sandbox, or may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.

LinuxmacOSWindows

Actors Using This

14
franceAnimal Farm
russia_speaking_cybercrime8Base
commercial_cybercrime_uefi_bootkitBlackLotus
russiaCloud Atlas
chinaDaggerfly
russia_speaking_organized_cybercrimeDarkGate Operators
russia_speaking_organized_cybercrimeEmotet Operators
latin_america_brazilian_organized_cybercrimeGrandoreiro
latin_america_brazilian_organized_cybercrimeGuildma / Astaroth
russia_speaking_organized_cybercrimeIcedID / BokBot Operators (Lunar Spider)
north_koreaLazarus Group
latin_america_brazilian_organized_cybercrimeMekotio
chinaMirrorFace
palestinian_territoriesMolerats / Gaza Cybergang

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
execution earlier
T1559.001 · Component Object Model ×4.23
privilege-escalation earlier
T1548.002 · Bypass User Account Control ×3.62
discovery same
T1497.001 · System Checks ×5.06T1614.001 · System Language Discovery ×4.14
collection later
T1185 · Browser Session Hijacking ×3.45
command-and-control later
T1571 · Non-Standard Port ×3.02
other same
T1027.007 · Dynamic API Resolution ×7.76T1027.009 · Embedded Payloads ×7.39T1218.010 · Regsvr32 ×6.21T1036.008 · Masquerade File Type ×5.17T1221 · Template Injection ×4.43T1218.001 · Compiled HTML File ×4.14T1027.003 · Steganography ×3.45T1036.001 · Invalid Code Signature ×2.96T1480.001 · Environmental Keying ×2.82

Atomic Tests

1
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
shlinux, macosDelay execution with ping
Uses the ping command to introduce a delay before executing a malicious payload. 
ping -c #{ping_count} 8.8.8.8 > /dev/null
#{evil_command}

Detection Coverage

0/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) none
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Caldera Emulation

1
MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.
defense-evasiondarwin, linux, windows1-min sleep
sleep 60

Comply & Defend

D3FEND6 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin