Behavioral correlation of privileged registry key creation under the W32Time TimeProviders path combined with a new DLL written to disk and potential process activity by LocalService. Indicates abuse of Time Providers for persistence.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| RegistryPathScope | May need to be tuned to only monitor `W32Time\TimeProviders` subkey path for performance optimization |
| UserContext | Should focus on activity from administrative or SYSTEM accounts |
| TimeWindow | Controls correlation window between registry modification and DLL drop |
| DllPathEntropyThreshold | Used for anomaly scoring on DLL path patterns (e.g., random names or temp directories) |