TIARAS - T1497.003: Time Based Checks

MITRE ATT&CK Technique

Defense Evasion T1497.003

Description

Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. This may include enumerating time-based properties, such as uptime or the system clock. Adversaries may use calls like `GetTickCount` and `GetSystemTimeAsFileTime` to discover if they are operating within a virtual machine or sandbox, or may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)

Supported Platforms

Linux macOS Windows

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2020-03-06T21:11:11.225Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may employ various time-based methods to detect '
                'virtualization and analysis environments, particularly those '
                'that attempt to manipulate time mechanisms to simulate longer '
                'elapses of time. This may include enumerating time-based '
                'properties, such as uptime or the system clock. \n'
                '\n'
                'Adversaries may use calls like `GetTickCount` and '
                '`GetSystemTimeAsFileTime` to discover if they are operating '
                'within a virtual machine or sandbox, or may be able to '
                'identify a sandbox accelerating time by sampling and '
                "calculating the expected value for an environment's timestamp "
                'before and after execution of a sleep function.(Citation: '
                'ISACA Malware Tricks)',
 'external_references': [{'external_id': 'T1497.003',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1497/003'},
                         {'description': 'Kolbitsch, C. (2017, November 1). '
                                         'Evasive Malware Tricks: How Malware '
                                         'Evades Detection by Sandboxes. '
                                         'Retrieved March 30, 2021.',
                          'source_name': 'ISACA Malware Tricks',
                          'url': 'https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes'}],
 'id': 'attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'discovery'}],
 'modified': '2025-10-24T17:48:44.870Z',
 'name': 'Time Based Checks',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_contributors': ['Jorge Orchilles, SCYTHE',
                          'Ruben Dodge, @shotgunner101',
                          'Jeff Felling, Red Canary',
                          'Deloitte Threat Library Team'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
 'x_mitre_version': '2.0'}

Quick Actions

Edit TTP Update from Web

Back to TTPs

Dashboard About