Windows operating systems are utilizing the time provider architecture in order to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider.
Rule type: eql
Risk score: 47
Runs every: 5 minutes
Maximum alerts per execution: 100
- Threat Detection
Added (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
registry where event.type:"change" and registry.path:"HKLM\\SYSTEM\\ *ControlSet*\\Services\\W32Time\\TimeProviders\\*" and registry.data.strings:"*.dll"