Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Discovery
  4. >ATTACK-T1124
ATTACK-T1124Active

System Time Discovery

Statement

An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or <code>systemsetup</code> on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)

System time information may be gathered in a number of ways, such as with Net on Windows by performing <code>net time \hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.(Citation: Technet Windows Time Service) In addition, adversaries can discover device uptime through functions such as <code>GetTickCount()</code> to determine how long it has been since the system booted up.(Citation: Virtualization/Sandbox Evasion)

On network devices, Network Device CLI commands such as show clock detail can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd) On ESXi servers, esxcli system clock get can be used for the same purpose.

In addition, system calls – such as <code>time()</code> – have been used to collect the current time on Linux devices.(Citation: MAGNET GOBLIN) On macOS systems, adversaries may use commands such as <code>systemsetup -gettimezone</code> or <code>timeIntervalSinceNow</code> to gather current time zone information or current date and time.(Citation: System Information Discovery Technique)(Citation: ESET DazzleSpy Jan 2022)

This information could be useful for performing other techniques, such as executing a file with a Scheduled Task/Job(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. System Location Discovery). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)

Location

Tactic
Discovery

Technique Details

Identifier
ATTACK-T1124
ATT&CK Page
View on MITRE

Tactics

Discovery

Platforms

ESXiLinuxmacOSNetwork DevicesWindows

Detection

Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery

No cross-framework mappings available

← Back to Discovery
Discovery43 controls
ATTACK-T1007System Service DiscoveryATTACK-T1010Application Window DiscoveryATTACK-T1012Query RegistryATTACK-T1016System Network Configuration DiscoveryATTACK-T1016.001Internet Connection DiscoveryATTACK-T1016.002Wi-Fi DiscoveryATTACK-T1018Remote System DiscoveryATTACK-T1033System Owner/User DiscoveryATTACK-T1046Network Service DiscoveryATTACK-T1049System Network Connections DiscoveryATTACK-T1057Process DiscoveryATTACK-T1069Permission Groups DiscoveryATTACK-T1069.001Local GroupsATTACK-T1069.002Domain GroupsATTACK-T1069.003Cloud GroupsATTACK-T1082System Information DiscoveryATTACK-T1083File and Directory DiscoveryATTACK-T1087Account DiscoveryATTACK-T1087.001Local AccountATTACK-T1087.002Domain AccountATTACK-T1087.003Email AccountATTACK-T1087.004Cloud AccountATTACK-T1120Peripheral Device DiscoveryATTACK-T1124System Time DiscoveryATTACK-T1135Network Share DiscoveryATTACK-T1201Password Policy DiscoveryATTACK-T1217Browser Information DiscoveryATTACK-T1482Domain Trust DiscoveryATTACK-T1518Software DiscoveryATTACK-T1518.001Security Software DiscoveryATTACK-T1518.002Backup Software DiscoveryATTACK-T1526Cloud Service DiscoveryATTACK-T1538Cloud Service DashboardATTACK-T1580Cloud Infrastructure DiscoveryATTACK-T1613Container and Resource DiscoveryATTACK-T1614System Location DiscoveryATTACK-T1614.001System Language DiscoveryATTACK-T1615Group Policy DiscoveryATTACK-T1619Cloud Storage Object DiscoveryATTACK-T1652Device Driver DiscoveryATTACK-T1654Log EnumerationATTACK-T1673Virtual Machine DiscoveryATTACK-T1680Local Storage Discovery