Detect Time Providers in Google Chronicle
Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are implemented as DLLs registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\. The time provider manager loads and starts time providers listed under this key at system startup. Adversaries may create a new subkey pointing to a malicious DLL in the DllName value. Administrator privileges are required for time provider registration, though execution runs in context of the Local Service account.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.003 Time Providers
- Canonical reference
- https://attack.mitre.org/techniques/T1547/003/
YARA-L Detection Query
rule t1547_003_time_provider_dll_registration {
meta:
author = "Argus Detection Engineering"
description = "Detects non-standard DLL registration under W32Time TimeProviders registry key, indicating potential Windows Time Service abuse for persistence (T1547.003)"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "T1547.003"
severity = "HIGH"
confidence = "HIGH"
events:
$e.metadata.event_type = "REGISTRY_MODIFICATION"
$e.target.registry.registry_key = /\\Services\\W32Time\\TimeProviders\\/
not $e.target.registry.registry_value_data = /(?i)w32time\.dll/
not $e.target.registry.registry_value_data = /(?i)vmictimeprovider\.dll/
condition:
$e
}Chronicle YARA-L 2.0 rule detecting registry modification events targeting the W32Time TimeProviders key where a non-standard DLL is specified in the value data, indicating potential time provider hijacking.
Data Sources
Required Tables
False Positives & Tuning
- Authorized deployment of enterprise-grade NTP solutions that register proprietary time provider DLLs as part of their installation
- Hypervisor integration tools that update time provider configuration during VM lifecycle events such as snapshot restore or live migration
- Penetration testing or red team exercises authorized to simulate persistence techniques on test endpoints
Other platforms for T1547.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Register Malicious Time Provider via Registry
Expected signal: Sysmon Event ID 12: Key created for df00techTestProvider. Sysmon Event ID 13: Value set for DllName, Enabled, and InputProvider. MDE DeviceRegistryEvents for all three operations.
- Test 2Enumerate Existing Time Providers
Expected signal: Sysmon Event ID 1: Process creation for reg.exe. No registry modification events.
- Test 3Register Time Provider and Restart W32Time
Expected signal: Sysmon Event ID 12/13 for registry operations. System Event ID 7036 for W32Time service state changes. If the DLL existed, Sysmon Event ID 7 would show it being loaded by svchost.exe hosting W32Time.
References (5)
- https://attack.mitre.org/techniques/T1547/003/
- https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
- https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-top
- https://github.com/scottlundgren/w32time
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md
Unlock Pro Content
Get the full detection package for T1547.003 including response playbook, investigation guide, and atomic red team tests.