Common Information
| Type | Value |
|---|---|
| Value |
Time Providers - T1209 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider) Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\</code>. (Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. (Citation: Microsoft TimeProvider) Adversaries may abuse this architecture to establish Persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. (Citation: Github W32Time Oct 2017) Detection: Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility. (Citation: Microsoft W32Time May 2017) There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. (Citation: Github W32Time Oct 2017) The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. (Citation: TechNet Autoruns) Platforms: Windows Data Sources: API monitoring, Binary file metadata, DLL monitoring, File monitoring, Loaded DLLs, Process Monitoring Permissions Required: Administrator, SYSTEM Contributors: Scott Lundgren, @5twenty9, Carbon Black |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2023-12-06 | 198 | Russia/Ukraine Update - December 2023 | ||
| Details | Website | 2023-08-25 | 195 | Russia/Ukraine Update - August 2023 | ||
| Details | Website | 2023-05-30 | 112 | Russia/Ukraine Update - May 2023 | ||
| Details | Website | 2023-03-17 | 17 | SafeBreach Coverage for US-CERT Alert (AA23-075A) – #StopRansomware: LockBit 3.0 | ||
| Details | Website | 2022-01-01 | 5 | GitHub - scottlundgren/w32time |