Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider)
Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\</code>. (Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. (Citation: Microsoft TimeProvider)
Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. (Citation: Github W32Time Oct 2017)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1547.003 | Time Providers | |
| AC-4 | Information Flow Enforcement | Protects | T1547.003 | Time Providers | |
| CA-7 | Continuous Monitoring | Protects | T1547.003 | Time Providers | |
| CM-2 | Baseline Configuration | Protects | T1547.003 | Time Providers | |
| CM-5 | Access Restrictions for Change | Protects | T1547.003 | Time Providers | |
| CM-6 | Configuration Settings | Protects | T1547.003 | Time Providers | |
| SI-4 | System Monitoring | Protects | T1547.003 | Time Providers | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1547.003 | Time Providers |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | File Integrity Monitoring | technique_scores | T1547.003 | Time Providers |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|