Time Providers

DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has "\\Services\\W32Time\\TimeProviders"
| where not(RegistryValueData has_any ("w32time.dll", "vmictimeprovider.dll"))
| project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| sort by Timestamp desc

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13)
  TargetObject="*\\Services\\W32Time\\TimeProviders\\*"
  NOT (Details="*w32time.dll*" OR Details="*vmictimeprovider.dll*")
| eval action=case(EventCode=12, "KeyCreated", EventCode=13, "ValueSet")
| table _time, host, action, TargetObject, Details, Image, User
| sort - _time

registry where registry.path : "*\\Services\\W32Time\\TimeProviders\\*" and (event.action == "registry_key_created" or event.action == "registry_value_set") and not registry.data.strings : ("*w32time.dll*", "*vmictimeprovider.dll*")

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time, logsourcename(logsourceid) AS log_source, sourceip, username, QIDNAME(qid) AS event_name, "TargetObject", "Details", "Image" FROM events WHERE LOGSOURCETYPEID = 13 AND (qid = 5000008 OR qid = 5000009) AND "TargetObject" ILIKE '%\Services\W32Time\TimeProviders%' AND "Details" NOT ILIKE '%w32time.dll%' AND "Details" NOT ILIKE '%vmictimeprovider.dll%' ORDER BY devicetime DESC LAST 24 HOURS

_sourceCategory="windows/sysmon" (EventCode=12 OR EventCode=13) TargetObject="*\Services\W32Time\TimeProviders*" | where !matches(Details, "*w32time.dll*") and !matches(Details, "*vmictimeprovider.dll*") | parse field=EventCode "12" as key_created nodrop | parse field=EventCode "13" as value_set nodrop | eval action = if(EventCode == "12", "KeyCreated", "ValueSet") | table _messageTime, host, action, TargetObject, Details, Image, User | sort by _messageTime desc

rule t1547_003_time_provider_dll_registration {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects non-standard DLL registration under W32Time TimeProviders registry key, indicating potential Windows Time Service abuse for persistence (T1547.003)"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1547.003"
    severity = "HIGH"
    confidence = "HIGH"
  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    $e.target.registry.registry_key = /\\Services\\W32Time\\TimeProviders\\/
    not $e.target.registry.registry_value_data = /(?i)w32time\.dll/
    not $e.target.registry.registry_value_data = /(?i)vmictimeprovider\.dll/
  condition:
    $e
}

#event_simpleName=RegSetValue OR #event_simpleName=RegCreateKey
| TargetObjectName = /\\Services\\W32Time\\TimeProviders\\/
| TargetObjectValueString != /(?i)w32time\.dll/
| TargetObjectValueString != /(?i)vmictimeprovider\.dll/
| table([_timeutc, ComputerName, #event_simpleName, TargetObjectName, TargetObjectValueString, ImageFileName, UserName])
| sort(field=_timeutc, order=desc)