T1547.003SubTechniquepersistenceprivilege-escalationagent-callable

T1547.003Time Providers

Sub-technique of T1547

Platforms: Windows

ATT&CK version: 14.1

What it is

Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.(Citation: Microsoft TimeProvider) Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\</code>.(Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.(Citation: Microsoft TimeProvider) Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.(Citation: Github W32Time Oct 2017)

ATT&CK tactics· 2

PersistencePrivilege Escalation

References

  1. https://attack.mitre.org/techniques/T1547/003
  2. https://github.com/scottlundgren/w32time
  3. https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings
  4. https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-top
  5. https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
  6. https://technet.microsoft.com/en-us/sysinternals/bb963902
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.