Description
Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.(Citation: Microsoft TimeProvider)
Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\.(Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.(Citation: Microsoft TimeProvider)
Adversaries may abuse this architecture to establish persistence, specifically by creating a new arbitrarily named subkey pointing to a malicious DLL in the DllName value. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.(Citation: Github W32Time Oct 2017)
Platforms
Mitigations (2)
Restrict Registry PermissionsM1024
Consider using Group Policy to configure and block modifications to W32Time parameters in the Registry. (Citation: Microsoft W32Time May 2017)
Restrict File and Directory PermissionsM1022
Consider using Group Policy to configure and block additions/modifications to W32Time DLLs. (Citation: Microsoft W32Time May 2017)
References
- Lundgren, S. (2017, October 28). w32time. Retrieved March 26, 2018.
- Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018.
- Microsoft. (2018, February 1). Windows Time Service (W32Time). Retrieved March 26, 2018.
- Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
- Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.
Frequently Asked Questions
What is T1547.003 (Time Providers)?
T1547.003 is a MITRE ATT&CK technique named 'Time Providers'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2...
How can T1547.003 be detected?
Detection of T1547.003 (Time Providers) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1547.003?
There are 2 documented mitigations for T1547.003. Key mitigations include: Restrict Registry Permissions, Restrict File and Directory Permissions.
Which threat groups use T1547.003?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.