Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0151: Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery

DET0151 is a MITRE detection strategy for identifying behavior related to System Time Discovery. The business value is not that reading time is inherently...

EnterpriseDET0151Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0151 is a MITRE detection strategy for identifying behavior related to System Time Discovery. The business value is not that reading time is inherently malicious, but that adversaries may use local time, time zone, or synchronization details to plan execution timing, avoid noisy periods, or understand an environment. Because the official detection text is not provided, teams should treat this as a prompt to validate whether time-discovery behavior is visible across the related platforms: ESXi, Linux, macOS, and network devices.

Executive priority

Prioritize this as a coverage-validation item rather than a standalone high-severity alert. Security leaders should ask whether SOC and incident response teams can see unusual time and time-zone discovery activity on critical infrastructure, especially systems where time synchronization supports authentication, logging, audit trails, operational scheduling, or forensic reconstruction. The decision value is in confirming telemetry completeness and correlation, not in assuming every time query is suspicious.

Technical view

This detection strategy is associated with ATT&CK T1124 System Time Discovery under the discovery tactic. For SOC and detection engineering, validate platform-aware visibility into actions that read local or remote system time, time zone settings, or time synchronization configuration on ESXi, Linux, macOS, and network devices. Because no official detection logic is supplied, detections should be correlation-driven: look for time-discovery activity occurring near other discovery, access, execution, or lateral movement indicators rather than alerting broadly on normal administrative time checks.

Likely telemetry

  • Process or shell execution records where available on Linux and macOS
  • Administrative command logs and audit logs for ESXi management activity
  • Network device command accounting, configuration audit logs, or management-plane logs
  • Time synchronization service logs or configuration access records
  • Remote administration session logs tied to users, hosts, and source addresses

Detection direction

  • Validate that time and time-zone discovery events are collected from the related platforms before writing correlation logic.
  • Tune for context: time checks by administrators, scripts, monitoring tools, and configuration management are common and may create false positives.
  • Prioritize behavior chains where time discovery appears with other discovery activity or occurs from unusual accounts, hosts, remote sessions, or management interfaces.
  • Check for blind spots on network devices and ESXi, where endpoint-style telemetry may be limited and command/accounting logs may be the primary evidence.
  • Ensure time synchronization and logging quality are reliable; weak clock consistency can undermine both detection and incident reconstruction.

Mitigation priorities

  • Maintain accurate, centralized time synchronization for infrastructure and security tooling to preserve audit and forensic integrity.
  • Restrict and monitor administrative access to systems where time settings or time-service configuration can be queried or changed.
  • Ensure ESXi, Linux, macOS, and network device logs are forwarded to a central platform with sufficient retention for investigations.
  • Use least privilege and session accountability for management interfaces so benign administration can be distinguished from suspicious discovery.
  • Treat this behavior as one signal in a broader investigation workflow rather than a control objective by itself.
Analyst notes and limits

The supplied object has no official description, detection text, tactics, or platforms of its own. Its usable context comes from the relationship stating that DET0151 detects T1124 System Time Discovery, whose related tactic is discovery and related platforms are ESXi, Linux, macOS, and Network Devices. The detection strategy name indicates behavior-chain and platform-aware framing, so correlation and platform-specific telemetry validation are appropriate.

This take is limited by sparse ATT&CK fields. It does not assert active exploitation, adversary attribution, detection coverage, or specific command syntax. Local baselining is required because time discovery can be normal administrative, monitoring, or automation activity.

Official MITRE ATT&CK definition

Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1124 System Time Discovery This object detects System Time Discovery.
Relationship explorer

All related ATT&CK context

detects · Technique T1124: System Time Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c91114b2ccb23575...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c91114b2ccb2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0151
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use