Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

New TimeProviders Registered With Uncommon DLL Name

Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sun Jun 19Updated Tue Mar 26e88a6ddc-74f7-463b-9b26-f69fc0d2ce85windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        TargetObject|contains: '\Services\W32Time\TimeProviders'
        TargetObject|endswith: '\DllName'
    filter_main_w32time:
        Details:
            - '%SystemRoot%\System32\vmictimeprovider.dll'
            - '%systemroot%\system32\w32time.dll'
            - 'C:\Windows\SYSTEM32\w32time.DLL'
    condition: selection and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
e88a6ddc-74f7-463b-9b26-f69fc0d2ce85
Status
test
Level
high
Type
Detection
Created
Sun Jun 19
Modified
Tue Mar 26
Author
François Hubaut
Path
rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.t1547.003
View on GitHub