title: Time Providers (T1547.003)
id: df00tech-t1547-003
status: experimental
description: "Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are implemented as DLLs registered in the subkeys of HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\. The time provider manager loads and starts time providers listed under this key at system startup. Adversaries may create a new subkey pointing to a malicious DLL in the DllName value. Administrator privileges are required for time provider registration, though execution runs in context of the Local Service account."
references:
  - https://attack.mitre.org/techniques/T1547/003/
  - https://df00tech.com/detections/T1547.003
author: df00tech
date: 2026/04/20
tags:
  - attack.t1547.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Installation of Hyper-V Integration Services that registers VMICTimeProvider
  - "Third-party time synchronization software (Meinberg, Galleon, Domain Time II) registering custom time providers"
  - Windows feature upgrades that reconfigure the W32Time service
level: high