timeout.exe
- File Path:
C:\windows\system32\timeout.exe - Description: timeout - pauses command processing
Hashes
| Type | Hash |
|---|---|
| MD5 | 8BD41891EA45BA4653B3A3799784DA31 |
| SHA1 | F0D2942B2C879C02C084AE42F918147E6AB78A11 |
| SHA256 | B9EC92A5BEAA11A7C17F84ECD346B138C39A76244926C310202DDBB24C3700B2 |
| SHA384 | 01AE59B3BC78C8FBD9705A7ADE062D1F25F2D7E812CD4877E83019EB4FF904A6E20D251B1D287FF6557B6C4833E04F07 |
| SHA512 | 74C85A04899BDC03AAF240492D431988BF219F0DB76F56677BBBFCC7856011B4693DA96352930153DD760367B593499E42913B98DC142C5FBC3E6E864A0DDE2D |
| SSDEEP | 768:SH/VilVH0LRioGTS1qztHW+JHX1cMmrxsehX:SH/GGVZGVhHFVmrxDX |
Signature
- Status: The file C:\windows\system32\timeout.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: timeout.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of timeout.exe being misused. While timeout.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_del.yml | #cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit |
DRL 1.0 |
| malware-ioc | nukesped_lazarus | ==== :timeout |
© ESET 2014-2018 |
| malware-ioc | kessel_config.ksy | - id: timeout |
© ESET 2014-2018 |
| malware-ioc | sshdoor.yar | $usage = "usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]" |
© ESET 2014-2018 |
| atomic-red-team | index.md | - Atomic Test #2: Unlimited sudo cache timeout [macos, linux] | MIT License. © 2018 Red Canary |
| atomic-red-team | linux-index.md | - Atomic Test #2: Unlimited sudo cache timeout [macos, linux] | MIT License. © 2018 Red Canary |
| atomic-red-team | macos-index.md | - Atomic Test #2: Unlimited sudo cache timeout [macos, linux] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session | MIT License. © 2018 Red Canary |
| atomic-red-team | T1040.md | TIMEOUT /T 5 >nul 2>&1 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | | timeout | Timeout period before ending process (seconds) | Integer | 1| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | timeout –preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} “#{query}” > #{output_file} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | ##### Description: The whois and timeout commands must be present | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | which whois && which timeout | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | echo “Please install timeout and the whois package” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1113.md | cmd /c “timeout #{recording_time} > NULL && psr.exe /stop” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1197.md | timeout 5 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1485.md | This process is very slow and test execution may timeout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1529.md | | timeout | Timeout period before shutdown (seconds) | Integer | 1| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1529.md | shutdown /s /t #{timeout} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1529.md | | timeout | Timeout period before restart (seconds) | Integer | 1| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1529.md | shutdown /r /t #{timeout} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1529.md | | timeout | Time to restart (can be minutes or specific time) | String | now| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1529.md | shutdown -r #{timeout} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1529.md | | timeout | Time to shutdown (can be minutes or specific time) | String | now| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1529.md | shutdown -h #{timeout} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.002.md | * ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.003.md | Within Linux and MacOS systems, sudo (sometimes referred to as “superuser do”) allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command “allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.”(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again). |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.003.md | - Atomic Test #2 - Unlimited sudo cache timeout | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.003.md | ## Atomic Test #2 - Unlimited sudo cache timeout | MIT License. © 2018 Red Canary |
| signature-base | apt_apt15.yar | $s6 = “Cmd timeout %d” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_aus_parl_compromise.yar | $x1 = “not a valid timeout format!” ascii wide fullword | CC BY-NC 4.0 |
| signature-base | apt_emissary.yar | $s2 = “execute cmd timeout.” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_eqgrp.yar | $s1 = “Active connections will be maintained for this tunnel. Timeout:” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_eqgrp.yar | $x2 = “[-] timeout waiting for response - target may have crashed” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_eqgrp.yar | $s5 = “WARNING: LP Timeout specified (%lu seconds) less than default (%u seconds). Setting default” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_eqgrp_apr17.yar | $s4 = “Timeout waiting for daemon to die. Exploit probably failed.” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_eqgrp_apr17.yar | $x1 = “Probe #2 usage: %s -i TargetIp -p TargetPort -r %d [-o TimeOut] -t Protocol -n IMailUserName -a IMailPassword” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_lazarus_dec20.yar | $g4 = “session.timeout=600” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_triton_mal_sshdoor.yar | $a_usage = “usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]” | CC BY-NC 4.0 |
| signature-base | gen_cn_hacktools.yar | $s1 = “Retransmission Timeout Algorithm = unknown (%1!u!)” fullword wide /* Goodware String - occured 2 times */ | CC BY-NC 4.0 |
| signature-base | gen_cn_hacktools.yar | $s4 = “Mutex object did not timeout, list not patched” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_cn_hacktools.yar | $s5 = “Mutex object did not timeout, list not patched” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_empire.yar | $s1 = “Test-Port -h $h -p $Port -timeout $Timeout” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_empire.yar | $s2 = “1 {$nHosts=10; $Threads = 32; $Timeout = 5000 }” fullword ascii | CC BY-NC 4.0 |
| signature-base | spy_equation_fiveeyes.yar | $s3 = “Timeout waiting for the "canInstallNow" event from the implant-specific EXE!” | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s5 = “TIMEOUT while waiting for Ack block %d. file <%s>” fullword ascii | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s1 = “usage: %s |
CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s3 = “$sock = @ftp_connect($host,$port,$timeout);” fullword | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s0 = “function ftp_check($host,$user,$pass,$timeout){“ fullword | CC BY-NC 4.0 |
| stockpile | 10fad81e-3f68-47be-83b6-fbee7711c6a9.yml | timeout: 300 |
Apache-2.0 |
| stockpile | 1b4fb81c-8090-426c-93ab-0a633e7a16a7.yml | timeout: 80 |
Apache-2.0 |
| stockpile | 5f844ac9-5f24-4196-a70d-17f0bd44a934.yml | Commandline = 'cmd.exe /c "timeout /nobreak /t 10 >nul 2>nul & del /f #{location}"'; |
Apache-2.0 |
| stockpile | 5a4cb2be-2684-4801-9355-3a90c91e0004.yml | timeout: 180 |
Apache-2.0 |
| stockpile | 95727b87-175c-4a69-8c7a-a5d82746a753.yml | timeout: 300 |
Apache-2.0 |
| stockpile | 3ce95a28-25fc-4a7e-a0cd-0fdb190e2081.yml | $req.TimeOut = 50000; |
Apache-2.0 |
| stockpile | 46da2385-cf37-49cb-ba4b-a739c7a19de4.yml | # Linux distros should include timeout making this easy. |
Apache-2.0 |
| stockpile | 46da2385-cf37-49cb-ba4b-a739c7a19de4.yml | # We expect timeout to return a 124, which needs to then return a 0 |
Apache-2.0 |
| stockpile | 46da2385-cf37-49cb-ba4b-a739c7a19de4.yml | timeout 60 ./xmrig-6.11.2/xmrig; |
Apache-2.0 |
| stockpile | 46da2385-cf37-49cb-ba4b-a739c7a19de4.yml | timeout: 120 |
Apache-2.0 |
| stockpile | 46da2385-cf37-49cb-ba4b-a739c7a19de4.yml | # MacOS does not include timeout, but can mimic the process with screen. |
Apache-2.0 |
| stockpile | 78524da1-f347-4fbb-9295-209f1f408330.yml | timeout: 120 |
Apache-2.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
timeout
Pauses the command processor for the specified number of seconds. This command is typically used in batch files.
Syntax
timeout /t <timeoutinseconds> [/nobreak]
Parameters
| Parameter | Description |
|---|---|
/t <timeoutinseconds> |
Specifies the decimal number of seconds (between -1 and 99999) to wait before the command processor continues processing. The value -1 causes the computer to wait indefinitely for a keystroke. |
| /nobreak | Specifies to ignore user key strokes. |
| /? | Displays help at the command prompt. |
Remarks
-
A user keystroke resumes the command processor execution immediately, even if the timeout period has not expired.
-
When used in conjunction with the resource kit’s Sleep tool, timeout is similar to the pause command.
Examples
To pause the command processor for ten seconds, type:
timeout /t 10
To pause the command processor for 100 seconds and ignore any keystroke, type:
timeout /t 100 /nobreak
To pause the command processor indefinitely until a key is pressed, type:
timeout /t -1
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.