New TimeProviders Registered With Uncommon DLL Name
Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.
Sigma rule (View on GitHub)
1title: New TimeProviders Registered With Uncommon DLL Name
2id: e88a6ddc-74f7-463b-9b26-f69fc0d2ce85
3status: experimental
4description: |
5 Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
6 Adversaries may abuse time providers to execute DLLs when the system boots.
7 The Windows Time service (W32Time) enables time synchronization across and within domains.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md
10author: frack113
11date: 2022-06-19
12modified: 2024-03-26
13tags:
14 - attack.persistence
15 - attack.privilege-escalation
16 - attack.t1547.003
17logsource:
18 category: registry_set
19 product: windows
20detection:
21 selection:
22 TargetObject|contains: '\Services\W32Time\TimeProviders'
23 TargetObject|endswith: '\DllName'
24 filter_main_w32time:
25 Details:
26 - '%SystemRoot%\System32\vmictimeprovider.dll'
27 - '%systemroot%\system32\w32time.dll'
28 - 'C:\Windows\SYSTEM32\w32time.DLL'
29 condition: selection and not 1 of filter_main_*
30falsepositives:
31 - Unknown
32level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Addition of SID History to Active Directory Object