{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/time-provider/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","VMware Tools"],"_cs_severities":["medium"],"_cs_tags":["persistence","privilege-escalation","time-provider"],"_cs_type":"advisory","_cs_vendors":["Microsoft","VMware"],"content_html":"\u003cp\u003eThe Windows Time service (W32Time) synchronizes the system clock with other devices on the network, using time providers implemented as DLL files located in the System32 folder. This architecture can be abused by adversaries to establish persistence by registering and enabling a malicious DLL as a time provider. The W32Time service starts during Windows startup and loads w32time.dll. This technique involves modifying specific registry keys associated with the Time Providers, enabling a malicious DLL to be loaded and executed every time the service starts. This can allow an attacker to maintain persistent access to the system, even after a reboot. The Elastic Security team has identified this persistence method and provided a detection rule to identify such modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through an exploit, phishing, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains administrator privileges on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts or deploys a malicious DLL to be used as a time provider.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry to register the malicious DLL as a valid time provider. The registry keys under \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\\u003c/code\u003e are targeted.\u003c/li\u003e\n\u003cli\u003eThe attacker enables the newly registered time provider.\u003c/li\u003e\n\u003cli\u003eThe W32Time service is restarted, or the system is rebooted.\u003c/li\u003e\n\u003cli\u003eThe W32Time service loads the malicious DLL, executing the attacker\u0026rsquo;s code.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to achieve persistence on the compromised system. The attacker can execute arbitrary code every time the W32Time service starts. This may lead to further malicious activities, such as data theft, lateral movement, or the installation of additional malware. The impact is significant, as the attacker can maintain long-term control over the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eTime Provider DLL Registration\u003c/code\u003e to detect the registration of new DLL files as Time Providers in the registry.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture registry modifications, as this is a requirement for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any registry changes to the \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\\u003c/code\u003e path, especially those adding new DLLs, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for \u003ccode\u003emsiexec.exe\u003c/code\u003e installing DLLs in the \u003ccode\u003eProgram Files\\VMware\\VMware Tools\u003c/code\u003e directory, which could indicate legitimate activity, but should still be validated.\u003c/li\u003e\n\u003cli\u003eRegularly audit and validate the list of registered Time Providers on critical systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-time-provider-modification/","summary":"Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider by modifying registry keys associated with the W32Time service.","title":"Potential Persistence via Time Provider Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-time-provider-modification/"}],"language":"en","title":"CraftedSignal Threat Feed — Time-Provider","version":"https://jsonfeed.org/version/1.1"}