Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.(Citation: Microsoft TimeProvider)
Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\.(Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.(Citation: Microsoft TimeProvider)
Adversaries may abuse this architecture to establish persistence, specifically by creating a new arbitrarily named subkey pointing to a malicious DLL in the DllName value. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.(Citation: Github W32Time Oct 2017)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.04 | Time services and synchronization | Mitigates | T1547.003 | Time Providers |
Comments
The diagnostic statement focuses on the importance of maintaining accurate and resilient time synchronization across systems. By ensuring that time services are designed with security and reliability in mind, organizations reduce the risk of adversaries tampering with time provider components or disrupting time synchronization processes described in the Boot or Logon Autostart Execution: Time Providers technique.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1547.003 | Time Providers | |
| CM-06 | Configuration Settings | mitigates | T1547.003 | Time Providers | |
| CM-05 | Access Restrictions for Change | mitigates | T1547.003 | Time Providers | |
| AC-17 | Remote Access | mitigates | T1547.003 | Time Providers | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1547.003 | Time Providers | |
| CM-02 | Baseline Configuration | mitigates | T1547.003 | Time Providers | |
| SI-04 | System Monitoring | mitigates | T1547.003 | Time Providers | |
| AC-03 | Access Enforcement | mitigates | T1547.003 | Time Providers | |
| AC-04 | Information Flow Enforcement | mitigates | T1547.003 | Time Providers | |
| AC-06 | Least Privilege | mitigates | T1547.003 | Time Providers |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.integrity.variety.Modify configuration | Modified configuration or services | related-to | T1547.003 | Time Providers |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1547.003 | Time Providers |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|