Skip to content

DET0122 Detect Abuse of Windows Time Providers for Persistence

Item Value
ID DET0122
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1547.003 (Time Providers)

Analytics

Windows

AN0341

Behavioral correlation of privileged registry key creation under the W32Time TimeProviders path combined with a new DLL written to disk and potential process activity by LocalService. Indicates abuse of Time Providers for persistence.

Log Sources
Data Component Name Channel
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13, 14
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
RegistryPathScope May need to be tuned to only monitor W32Time\TimeProviders subkey path for performance optimization
UserContext Should focus on activity from administrative or SYSTEM accounts
TimeWindow Controls correlation window between registry modification and DLL drop
DllPathEntropyThreshold Used for anomaly scoring on DLL path patterns (e.g., random names or temp directories)