Technique on mitre.org

T1547.003: Time Providers

Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.

Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\. The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.

Adversaries may abuse this architecture to establish persistence, specifically by creating a new arbitrarily named subkey pointing to a malicious DLL in the DllName value. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-1360: Suspicious_Registry_Value: Windows Registry abuse. This is often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, data collection, and other malicious activity. mitre_attck_persistence: PT-CR-1346: Time_Providers_Persistence: Persistence by changing TimeProviders settings

Detection

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor newly executed processes, such as the W32tm.exe utility. The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Modification	Description	Monitor for changes made to windows registry keys and/or values modifying W32Time information in the Registry.

ID	DS0011	Data source and component	Module: Module Load	Description	There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may abuse time providers to execute DLLs when the system boots.

ID	Data source and component	Description
DS0009	Process: Process Creation	Monitor newly executed processes, such as the W32tm.exe utility. The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers.
DS0024	Windows Registry: Windows Registry Key Modification	Monitor for changes made to windows registry keys and/or values modifying W32Time information in the Registry.
DS0011	Module: Module Load	There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk.
DS0017	Command: Command Execution	Monitor executed commands and arguments that may abuse time providers to execute DLLs when the system boots.

Mitigation

ID	M1022	Name	Restrict File and Directory Permissions	Description	Consider using Group Policy to configure and block additions/modifications to W32Time DLLs.

ID	M1024	Name	Restrict Registry Permissions	Description	Consider using Group Policy to configure and block modifications to W32Time parameters in the Registry.

ID	Name	Description
M1022	Restrict File and Directory Permissions	Consider using Group Policy to configure and block additions/modifications to W32Time DLLs.
M1024	Restrict Registry Permissions	Consider using Group Policy to configure and block modifications to W32Time parameters in the Registry.