T1547.003 Time Providers
Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.3 W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.4
Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\.4 The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.4
Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.1
| Item | Value |
|---|---|
| ID | T1547.003 |
| Sub-techniques | T1547.001, T1547.002, T1547.003, T1547.004, T1547.005, T1547.006, T1547.007, T1547.008, T1547.009, T1547.010, T1547.012, T1547.013, T1547.014, T1547.015 |
| Tactics | TA0003, TA0004 |
| Platforms | Windows |
| Permissions required | Administrator, SYSTEM |
| Version | 1.0 |
| Created | 24 January 2020 |
| Last Modified | 20 April 2022 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1022 | Restrict File and Directory Permissions | Consider using Group Policy to configure and block additions/modifications to W32Time DLLs. 2 |
| M1024 | Restrict Registry Permissions | Consider using Group Policy to configure and block modifications to W32Time parameters in the Registry. 2 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0011 | Module | Module Load |
| DS0009 | Process | Process Creation |
| DS0024 | Windows Registry | Windows Registry Key Modification |
References
-
Lundgren, S. (2017, October 28). w32time. Retrieved March 26, 2018. ↩
-
Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018. ↩↩
-
Microsoft. (2018, February 1). Windows Time Service (W32Time). Retrieved March 26, 2018. ↩
-
Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018. ↩↩↩
-
Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. ↩