Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Обход на основе времени
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Обход на основе времени
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Virtualization/Sandbox Evasion:  Обход на основе времени

ID Название
.001 Системные проверки
.002 Проверки активности пользователя
.003 Обход на основе времени

Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time. Adversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: Scheduled Task/Job). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled Multi-Stage Channels to avoid analysis and scrutiny.(Citation: Deloitte Environment Awareness) Benign commands or other operations may also be used to delay malware execution. Loops or otherwise needless repetitions of commands, such as Pings, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.(Citation: Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API hammering, involves making various calls to Native API functions in order to delay execution (while also potentially overloading analysis environments with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot) Adversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)

ID: T1497.003
Относится к технике:  T1497
Тактика(-и): Defense Evasion, Discovery
Платформы: Linux, macOS, Windows
Источники данных: Command: Command Execution, Process: OS API Execution, Process: Process Creation
Версия: 1.3
Дата создания: 06 Mar 2020
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
Raindrop

After initial installation, Raindrop runs a computation to delay execution.(Citation: Symantec RAINDROP January 2021)
P8RAT

P8RAT has the ability to "sleep" for a specified time to evade detection.(Citation: Securelist APT10 March 2021)
SUNBURST

SUNBURST remained dormant after initial access for a period of up to two weeks.(Citation: FireEye SUNBURST Backdoor December 2020)
BendyBear

BendyBear can check for analysis environments and signs of debugging using the Windows API kernel32!GetTickCountKernel32 call.(Citation: Unit42 BendyBear Feb 2021)

Egregor

Egregor can perform a long sleep (greater than or equal to 3 minutes) to evade detection.(Citation: JoeSecurity Egregor 2020)
Clop

Clop has used the sleep command to avoid sandbox detection.(Citation: Unit42 Clop April 2021)
SodaMaster

SodaMaster has the ability to put itself to "sleep" for a specified time.(Citation: Securelist APT10 March 2021)
Clambling

Clambling can wait 30 minutes before initiating contact with C2.(Citation: Trend Micro DRBControl February 2020)
Ursnif

Ursnif has used a 30 minute delay after execution to evade sandbox monitoring tools.(Citation: TrendMicro Ursnif File Dec 2014)
Okrum

Okrum's loader can detect presence of an emulator by using two calls to GetTickCount API, and checking whether the time has been accelerated.(Citation: ESET Okrum July 2019)
FatDuke

FatDuke can turn itself on or off at random intervals.(Citation: ESET Dukes October 2019)
DarkTortilla

DarkTortilla can implement the `kernel32.dll` Sleep function to delay execution for up to 300 seconds before implementing persistence or processing an addon package.(Citation: Secureworks DarkTortilla Aug 2022)
LunarWeb

LunarWeb can pause for a number of hours before entering its C2 communication loop.(Citation: ESET Turla Lunar toolset May 2024)
Bumblebee

Bumblebee has the ability to set a hardcoded and randomized sleep interval.(Citation: Proofpoint Bumblebee April 2022)
Crimson

Crimson can determine when it has been installed on a host for at least 15 days before downloading the final payload.(Citation: Proofpoint Operation Transparent Tribe March 2016)
Gootloader

Gootloader can designate a sleep period of more than 22 seconds between stages of infection.(Citation: Sophos Gootloader)
Saint Bot

Saint Bot has used the command `timeout 20` to pause the execution of its initial loader.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

During Operation Dream Job, Lazarus Group used tools that collected `GetTickCount` and `GetSystemTimeAsFileTime` data to detect sandbox or VMware services.(Citation: ClearSky Lazarus Aug 2020)
Tomiris

Tomiris has the ability to sleep for at least nine minutes to evade sandbox-based analysis systems.(Citation: Kaspersky Tomiris Sep 2021)
HermeticWiper

HermeticWiper has the ability to receive a command parameter to sleep prior to carrying out destructive actions on a targeted host.(Citation: Crowdstrike DriveSlayer February 2022)
Lokibot

Lokibot has performed a time-based anti-debug check before downloading its third stage.(Citation: Talos Lokibot Jan 2021)
Snip3

Snip3 can execute `WScript.Sleep` to delay execution of its second stage.(Citation: Morphisec Snip3 May 2021)
RansomHub

RansomHub can sleep for a set number of minutes before beginning execution.(Citation: Group-IB RansomHub FEB 2025)
Bisonal

Bisonal has checked if the malware is running in a virtual environment with the anti-debug function GetTickCount() to compare the timing.(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)

StrifeWater

StrifeWater can modify its sleep time responses from the default of 20-22 seconds.(Citation: Cybereason StrifeWater Feb 2022)
Pony

Pony has delayed execution using a built-in function to avoid detection and analysis.(Citation: Malwarebytes Pony April 2016)

IPsec Helper

IPsec Helper will sleep for a random number of seconds, iterating 200 times over sleeps between one to three seconds, before continuing execution flow.(Citation: SentinelOne Agrius 2021)
TrickBot

TrickBot has used printf and file I/O loops to delay process execution as part of API hammering.(Citation: Joe Sec Trickbot)
metaMain

metaMain has delayed execution for five to six minutes during its persistence establishment process.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)
QakBot

The QakBot dropper can delay dropping the payload to evade detection.(Citation: Cyberint Qakbot May 2021)(Citation: Kaspersky QakBot September 2021)
LiteDuke

LiteDuke can wait 30 seconds before executing additional code if security software is detected.(Citation: ESET Dukes October 2019)
GrimAgent

GrimAgent can sleep for 195 - 205 seconds after payload execution and before deleting its task.(Citation: Group IB GrimAgent July 2021)
Bazar

Bazar can use a timer to delay execution of core functionality.(Citation: NCC Group Team9 June 2020)
EvilBunny

EvilBunny has used time measurements from 3 different APIs before and after performing sleep operations to check and abort if the malware is running in a sandbox.(Citation: Cyphort EvilBunny Dec 2014)
BADFLICK

BADFLICK has delayed communication to the actor-controlled IP address by 5 minutes.(Citation: Accenture MUDCARP March 2019)
GoldenSpy

GoldenSpy's installer has delayed installation of GoldenSpy for two hours after it reaches a victim system.(Citation: Trustwave GoldenSpy June 2020)

WhisperGate

WhisperGate can pause for 20 seconds to bypass antivirus solutions.(Citation: Medium S2W WhisperGate January 2022)(Citation: RecordedFuture WhisperGate Jan 2022)
DRATzarus

DRATzarus can use the `GetTickCount` and `GetSystemTimeAsFileTime` API calls to measure function timing.(Citation: ClearSky Lazarus Aug 2020) DRATzarus can also remotely shut down into sleep mode under specific conditions to evade detection.(Citation: ClearSky Lazarus Aug 2020)
GoldMax

GoldMax has set an execution trigger date and time, stored as an ASCII Unix/Epoch time value.(Citation: MSTIC NOBELIUM Mar 2021)
GuLoader

GuLoader has the ability to perform anti-debugging based on time checks, API calls, and CPUID.(Citation: Medium Eli Salem GuLoader April 2021)
SVCReady

SVCReady can enter a sleep stage for 30 minutes to evade detection.(Citation: HP SVCReady Jun 2022)
Brute Ratel C4

Brute Ratel C4 can call `NtDelayExecution` to pause execution.(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)
XCSSET

Using the machine's local time, XCSSET waits 43200 seconds (12 hours) from the initial creation timestamp of a specific file, .report. After the elapsed time, XCSSET executes additional modules.(Citation: trendmicro xcsset xcode project 2020)
ThiefQuest

ThiefQuest invokes time call to check the system's time, executes a sleep command, invokes a second time call, and then compares the time difference between the two time calls and the amount of time the system slept to identify the sandbox.(Citation: wardle evilquest parti)
AppleJeus

AppleJeus has waited a specified time before downloading a second stage payload.(Citation: CISA AppleJeus Feb 2021)

Обнаружение

Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

Ссылки

  1. Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved September 13, 2024.
  2. Malik, A. (2016, October 14). Nitol Botnet makes a resurgence with evasive sandbox analysis technique. Retrieved September 30, 2021.
  3. Loman, M. et al. (2021, July 4). Independence Day: REvil uses supply chain exploit to attack hundreds of businesses. Retrieved September 30, 2021.
  4. Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.
  5. Joe Security. (2020, July 13). TrickBot's new API-Hammering explained. Retrieved September 30, 2021.
  6. Joe Security. (2016, April 21). Nymaim - evading Sandboxes with API hammering. Retrieved September 30, 2021.
  7. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
  8. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  9. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  10. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
  11. Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved November 17, 2024.
  12. Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021.
  13. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  14. Caragay, R. (2014, December 11). Info-Stealing File Infector Hits US, UK. Retrieved June 5, 2019.
  15. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  16. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  17. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  18. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  19. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  20. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  21. Szappanos, G. & Brandt, A. (2021, March 1). “Gootloader” expands its payload delivery options. Retrieved September 30, 2022.
  22. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  23. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  24. Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021.
  25. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  26. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  27. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
  28. Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025.
  29. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  30. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
  31. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  32. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  33. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  34. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  35. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  36. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
  37. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  38. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  39. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  40. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  41. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  42. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
  43. Insikt Group. (2020, January 28). WhisperGate Malware Corrupts Computers in Ukraine. Retrieved September 16, 2024.
  44. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  45. Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021.
  46. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
  47. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  48. Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023.
  49. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  50. Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.
  51. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.