Picus Security Explains Time Based Checks in MITRE ATT&CK

Cybersecurity firm Picus Security has detailed the T1497.003 Time Based Checks technique, a sub-technique under MITRE ATT&CK's Virtualization and Sandbox Evasion (T1497). This method leverages time-related system characteristics to identify malware.

The core of this technique involves discerning whether malware is operating on a physical host or within an automated analysis environment. Instead of inspecting system artifacts or user interaction, adversaries assess signals such as system uptime and clock progression. Analysis environments that are short-lived or manipulate time can be detected through these means.

Picus Security notes that adversaries employ time-based checks to evade sandbox detection. This often includes intentional delays, such as sleep functions or timed loops. If the observed time behavior deviates from expected norms, the malware may delay or suppress malicious activity, thereby avoiding detection.

The "Red Report 2026" indicates a resurgence in the use of the Virtualization and Sandbox Evasion technique. One observed procedure involves the Blitz malware, which compares execution times of different threads to identify virtualized environments. It measures, for instance, the duration of 1,000,000 loop iterations and compares the outcomes.