Virtualization/Sandbox Evasion: Time Based Checks (T1497.003)

Tactics: Stealth, Discovery · Platforms: Linux, macOS, Windows

The interactive view maps 1 detection strategy, 47 software entries, 1 campaign to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of Virtualization/Sandbox Evasion (T1497).

Overview

Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. This may include enumerating time-based properties, such as uptime or the system clock.

Adversaries may use calls like `GetTickCount` and `GetSystemTimeAsFileTime` to discover if they are operating within a virtual machine or sandbox, or may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.

Explore