|Permissions Required||Administrator, SYSTEM|
|Data Sources||API monitoring, Binary file metadata, DLL monitoring, File monitoring, Loaded DLLs, Process Monitoring|
|Contributors||Scott Lundgren, @5twenty9, Carbon Black|
The Windows Time service (W32Time) enables time synchronization across and within domains.1 W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.2
Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\.2 The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.2
Adversaries may abuse this architecture to establish Persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.3
Consider using Group Policy to configure and block subsequent modifications to W32Time parameters.7
Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility.7 There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk.3
The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers.8
- Microsoft. (2018, February 1). Windows Time Service (W32Time). Retrieved March 26, 2018.
- Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
- Lundgren, S. (2017, October 28). w32time. Retrieved March 26, 2018.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018.
- Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.