- Tactics
- stealth , Discovery
- Platforms
- Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1497.003
Description
Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. This may include enumerating time-based properties, such as uptime or the system clock.
Adversaries may use calls like GetTickCount and GetSystemTimeAsFileTime to discover if they are operating within a virtual machine or sandbox, or may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment’s timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the stealth, Discovery tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1006 — Direct Volume Access
- T1007 — System Service Discovery
- T1010 — Application Window Discovery
- T1012 — Query Registry
- T1014 — Rootkit
- T1016 — System Network Configuration Discovery
- T1018 — Remote System Discovery
- T1027 — Obfuscated Files or Information
- T1033 — System Owner/User Discovery
- T1036 — Masquerading
- T1040 — Network Sniffing
- T1046 — Network Service Discovery