Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0430: Analytic 0430

Untrusted or unusual process/script (cmd.exe, powershell.exe, w32tm.exe, net.exe, custom binaries) queries system time/timezone (e.g., w32tm /tz, net time \\host, Get-TimeZone, GetTickCount API) and (optionally) is followed within a short window by time-based scheduling or conditional execution (e.g., schtasks /create, at.exe, PowerShell Start-Sleep with large values).

EnterpriseAN0430AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic focuses on Windows processes or scripts that check system time or timezone and may then schedule or delay execution. For leaders, the practical issue is not the time query alone; it is whether the organization can spot unusual automation patterns that may precede delayed actions, scheduled tasks, or conditional execution. That matters for incident response timelines, SOC triage quality, and confidence that endpoint telemetry can reconstruct what happened before an action was deferred or scheduled.

Executive priority

Prioritize this as a validation item for Windows endpoint visibility and SOC readiness rather than as a standalone high-confidence alert. Security leaders should ask whether telemetry covers command-line activity, script execution, time/timezone queries, and nearby scheduling behavior such as schtasks, at.exe, or PowerShell sleep patterns. The business value is improved ability to investigate delayed execution and prove control coverage during incident reviews or compliance evidence requests.

Technical view

On Windows, validate detection logic that identifies untrusted or unusual processes or scripts querying time-related data through examples named in the object, including cmd.exe, powershell.exe, w32tm.exe, net.exe, custom binaries, Get-TimeZone, net time, w32tm /tz, and GetTickCount API usage where observable. Treat the strongest signal as a sequence: an unusual time or timezone query followed within a short window by time-based scheduling or conditional execution such as schtasks /create, at.exe, or PowerShell Start-Sleep with large values. Because ATT&CK provides no separate official detection text and no relationship context for this object, local baselining is essential.

Likely telemetry

  • Windows process creation events with full command line
  • PowerShell script block, module, or command invocation logs where available
  • Endpoint detection and response process lineage and parent-child relationships
  • Scheduled task creation or modification events
  • Command execution involving w32tm.exe, net.exe, schtasks.exe, at.exe, cmd.exe, and powershell.exe

Detection direction

  • Baseline legitimate administrative and operational use of w32tm, net time, Get-TimeZone, scheduled tasks, and PowerShell sleep behavior to reduce false positives.
  • Prioritize sequence-based detection over single-event alerts: unusual time query followed by scheduling, at.exe use, schtasks /create, or long Start-Sleep behavior.
  • Tune for process reputation, signer or path context, parent process, user context, host role, and whether the binary or script is expected in that environment.
  • Validate whether telemetry preserves command-line arguments and process lineage; without those, this analytic may be difficult to operationalize.
  • Review custom binaries separately, since time queries through APIs such as GetTickCount may not be visible in standard command-line logs.

Mitigation priorities

  • Ensure Windows endpoint logging and EDR collection capture process creation, command lines, PowerShell activity, and scheduled task activity.
  • Restrict and monitor administrative ability to create scheduled tasks or use legacy scheduling mechanisms where business operations allow.
  • Harden PowerShell logging and execution governance according to organizational policy.
  • Use least privilege and application control concepts to reduce untrusted script and custom binary execution.
  • Create SOC playbooks that correlate time-query behavior with subsequent scheduling or delayed execution before escalating severity.
Analyst notes and limits

This object is a detection analytic, not a technique entry, and it has no supplied tactic mapping or relationship context. Its value is as a coverage test for Windows telemetry and correlation logic around time-aware execution patterns. The analytic should not be treated as proof of malicious activity without local context and follow-on behavior.

The supplied ATT&CK fields include a description but no official detection text, no relationships, and only the Windows platform. This take does not infer actor use, active exploitation, impact, or guaranteed detectability. Local logging depth, EDR visibility, and administrative baselines determine whether the analytic is actionable.

Official MITRE ATT&CK definition

Analytic 0430

Untrusted or unusual process/script (cmd.exe, powershell.exe, w32tm.exe, net.exe, custom binaries) queries system time/timezone (e.g., w32tm /tz, net time \\host, Get-TimeZone, GetTickCount API) and (optionally) is followed within a short window by time-based scheduling or conditional execution (e.g., schtasks /create, at.exe, PowerShell Start-Sleep with large values).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e7256743a59a4711...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e7256743a59a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0430
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use