Installation of Time Providers¶
Attackers may establish persistence by registering a DLL with Windows as a valid time provider.
| id: | 3056a14a-59d9-43d3-84b5-738b4b8c3dd7 |
|---|---|
| categories: | enrich |
| confidence: | low |
| os: | windows |
| created: | 7/26/2019 |
| updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Persistence |
|---|---|
| techniques: | T1209 Time Providers |
Query¶
registry where
registry_path == "*\\System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\*"