T1497.003: Time Based Checks

Time Based Checks matter because they help malware decide whether it is being watched. Instead of immediately revealing malicious behavior in a sandbox or analyst VM, a sample may inspect uptime, system time, or timer behavior and delay, change, or suppress execution if the environment looks artificial. For leaders, the business issue is not the timer check itself; it is the possibility that malware triage, detonation, and incident scoping may understate risk when evasive code refuses to run in analysis environments.

Executive priority

Prioritize this as a validation topic for malware analysis, managed detection, and incident response readiness. ATT&CK links this sub-technique to Virtualization/Sandbox Evasion and to numerous malware families and a campaign, which makes it relevant to confidence in sandbox verdicts, alert enrichment, and escalation decisions. Security leaders should ask whether SOC and IR teams treat a clean or low-activity sandbox run as provisional when timing evasion indicators are present, and whether evidence from endpoints is retained to support audit, investigation, and post-incident decisions.

Technical view

T1497.003 is a stealth/discovery sub-technique of Virtualization/Sandbox Evasion on Linux, macOS, and Windows. The official description highlights checks such as uptime, system clock, and API-style time queries including GetTickCount and GetSystemTimeAsFileTime, plus comparisons before and after sleep behavior to identify accelerated time in sandboxes. ATT&CK provides no official detection text, but relationship context includes detection strategy DET0141, Detect Time-Based Evasion via Sleep, Timer Loops, and Delayed Execution. SOC and detection engineering teams should validate whether detonation, EDR, and host telemetry can expose suspicious long sleeps, repeated timer loops, unusual time queries, and execution that changes after elapsed-time thresholds, while recognizing that benign software also uses timers and sleeps.

Likely telemetry

Endpoint process execution and parent/child process context
Host API or behavioral telemetry for time, uptime, sleep, and timer-loop activity where available
Sandbox or malware detonation traces, including elapsed runtime, sleep acceleration behavior, and observed execution path changes
System time, uptime, and clock-change records where collected
File and process activity before and after delayed execution windows

Detection direction

Do not rely on a single short sandbox execution result for unknown binaries when timing checks or delayed execution behavior are observed.
Use DET0141 relationship context as a detection-engineering starting point for sleep, timer-loop, and delayed-execution analytics, then tune against local baseline software that legitimately uses timers.
Correlate timing behavior with broader suspicious context, such as new or untrusted process execution, later payload activity, or network activity after a delay, rather than alerting on sleep calls alone.
Validate coverage across Linux, macOS, and Windows if those platforms are in scope; many related software examples in the supplied relationships are Windows-focused, but the ATT&CK technique platform field is broader.
Preserve sandbox traces and endpoint evidence showing both pre-delay and post-delay behavior so IR teams can distinguish non-execution from evasion.

Mitigation priorities

Improve malware-analysis procedures first: extend or vary detonation runtimes and document when sandbox results are inconclusive due to delayed or time-aware behavior.
Ensure endpoint telemetry retention can compensate for sandbox blind spots, especially process, file, timing-related behavioral traces, and post-delay network activity.
Use layered controls rather than a timer-specific block: prevention, EDR behavior monitoring, sandboxing, and IR playbooks should all account for virtualization and sandbox evasion.
Train SOC and IR analysts to escalate suspicious samples that appear inert in analysis but show timing checks, because the absence of payload behavior may be an evasion result rather than proof of harmlessness.
Map this behavior into compliance and assurance evidence where malware analysis, monitoring, and incident response effectiveness must be demonstrated.

Analyst notes and limits

The supplied relationships show this behavior used by Operation Dream Job and multiple software entries including Crimson, TrickBot, Bisonal, Ursnif, EvilBunny, Okrum, Lokibot, Pony, GoldenSpy, FatDuke, LiteDuke, Bazar, Egregor, SUNBURST, GuLoader, Raindrop, BendyBear, AppleJeus, GoldMax, ThiefQuest, and Clop. That breadth supports treating time-based evasion as a common analysis-resilience concern, but each local detection decision still needs host and sandbox evidence.

ATT&CK provides no official detection text for this object, and the supplied fields do not include mitigations or procedure-level details for each related software item. This take should not be read as evidence of current exploitation, attribution, or guaranteed detection coverage. Local platform mix, sandbox configuration, endpoint telemetry depth, and retention determine practical visibility.

Official MITRE ATT&CK definition

Time Based Checks

Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. This may include enumerating time-based properties, such as uptime or the system clock.

Adversaries may use calls like `GetTickCount` and `GetSystemTimeAsFileTime` to discover if they are operating within a virtual machine or sandbox, or may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1497	Virtualization/Sandbox Evasion	This object subtechnique of Virtualization/Sandbox Evasion.

Associated objects

Groups, software, and campaigns

S0565: Raindrop

Raindrop is a loader used by APT29 that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was discovered in January 2021 and was likely used since at least May 2020.[1][2]

Windows

S0626: P8RAT

P8RAT is a fileless malware used by menuPass to download and execute payloads since at least 2020.[1]

Windows

S0559: SUNBURST

SUNBURST is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.[1][2]

Windows

S0574: BendyBear

BendyBear is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, BendyBear shares a variety of features with Waterbear, malware previously attributed to the Chinese cyber espionage group BlackTech.[1]

Windows

S0554: Egregor

Egregor is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between Egregor and Sekhmet ransomware, as well as Maze ransomware.[1][2][3]

Windows

S0611: Clop

Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.[1][2][3]

Windows

S0627: SodaMaster

SodaMaster is a fileless malware used by menuPass to download and execute payloads since at least 2020.[1]

Windows

S0660: Clambling

Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.[1]

Windows

S0386: Ursnif

Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[1][2] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.[3]

Windows

S0439: Okrum

Okrum is a Windows backdoor that has been seen in use since December 2016 with strong links to Ke3chang.[1]

Windows

S9003: evilginx2

evilginx2 is an open-source adversary-in-the-middle (AiTM) attack framework based on the open-source nginx web server. evilginx2 can be used as a reverse proxy between victims and legitimate web services to intercept and capture credentials, authentication tokens, and session cookies.[1][2][3]

IaaSIdentity ProviderOffice Suite

S0512: FatDuke

FatDuke is a backdoor used by APT29 since at least 2016.[1]

Windows

C0022: Operation Dream Job

Operation Dream Job was a cyber espionage operation likely conducted by Lazarus Group that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between Operation Dream Job, Operation North Star, and Operation Interception; by 2022 security researchers described Operation Dream Job as an umbrella term covering both Operation Interception and Operation North Star.[1][2][3][4]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 3.0
Created: Mar 6, 2020, 21:11 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 16e047049887f091...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	3.0	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`16e047049887…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
ISACA Malware Tricks

Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.
Open source URL
[2]
mitre-attack T1497.003
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams

Executive priority

Technical view

Likely telemetry

Detection direction

Mitigation priorities

Time Based Checks

How security teams should use this page

Related techniques

Groups, software, and campaigns

All related ATT&CK context

Object version and sync metadata

Mirrored ATT&CK source object

External references and citations