Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.(Citation: Microsoft TimeProvider)
Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\</code>.(Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.(Citation: Microsoft TimeProvider)
Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.(Citation: Github W32Time Oct 2017)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-17 | Remote Access | Protects | T1547.003 | Time Providers |
AC-03 | Access Enforcement | Protects | T1547.003 | Time Providers |
AC-04 | Information Flow Enforcement | Protects | T1547.003 | Time Providers |
AC-06 | Least Privilege | Protects | T1547.003 | Time Providers |
CA-07 | Continuous Monitoring | Protects | T1547.003 | Time Providers |
CM-02 | Baseline Configuration | Protects | T1547.003 | Time Providers |
CM-05 | Access Restrictions for Change | Protects | T1547.003 | Time Providers |
CM-06 | Configuration Settings | Protects | T1547.003 | Time Providers |
SI-04 | System Monitoring | Protects | T1547.003 | Time Providers |
SI-07 | Software, Firmware, and Information Integrity | Protects | T1547.003 | Time Providers |