Potential Persistence via Time Provider Modification | Elastic Security Solution [7.16]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› ›

« Suspicious ImagePath Service Creation Persistence via Hidden Run Key Detected »

Potential Persistence via Time Provider Modificationedit

Windows operating systems are utilizing the time provider architecture in order to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider.

Rule type: eql

Rule indices:

logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://pentestlab.blog/2019/10/22/persistence-time-providers/

Tags:

Elastic
Host
Windows
Threat Detection
Persistence

Version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

Rule queryedit

registry where event.type:"change" and
  registry.path:"HKLM\\SYSTEM\\*ControlSet*\\Services\\W32Time\\TimeProviders\\*" and
  registry.data.strings:"*.dll"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Boot or Logon Autostart Execution
- ID: T1547
- Reference URL: https://attack.mitre.org/techniques/T1547/
Sub-technique:
- Name: Time Providers
- ID: T1547.003
- Reference URL: https://attack.mitre.org/techniques/T1547/003/

« Suspicious ImagePath Service Creation Persistence via Hidden Run Key Detected »