T1209 · threatengine.sh

Home/ATT&CK Technique/Time Providers

ATT&CK Technique

Time Providers

T1209 · persistence

▤ Generate a SIEM detection for T1209 ◈ Vendor-native detections for T1209 ⚠ CVEs mapped to T1209 ♛ Hunt package for T1209 ◎ Check your coverage for T1209

The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\.

The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. Adversaries may abuse this architecture to establish Persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.

Windows

▸ How to use this page - the detection-engineering loop

Attackers have goals (tactics - “get credentials”, “move laterally”) and techniques are the concrete methods they use to reach them. This page is one method - T1209 - broken into everything you need to catch it.

The loop this page is built for (this is the job):

Understand the behaviour - read the description and the Atomic Tests to see exactly what the attacker does on a host or network.
Find the telemetry - what data source would reveal it (process creation, registry, network flow, auth logs). Detection Coverage shows which surfaces already have a rule and which are blind.
Get or write the detection - adapt ready logic (CAR Analytics, SIEM Detections, Falco, or Sigma via Generate a SIEM detection), or author your own.
Test it - run an Atomic Test in a lab and confirm your rule actually fires. A detection you have not tested is a hope, not coverage.
Deploy and tune - push it, then watch for false positives and adjust.

What each panel is for:

Atomic Testssafely reproduce the technique in a lab to validate that a detection fires. Detection Coveragewhich detection surfaces have a rule for this technique; none is a blind spot to close, or simply not applicable (YARA matches files, not network behaviour). CAR / SIEM / Falcoready-made detection logic (Splunk SPL, Elastic EQL, Sentinel KQL, Falco) you adapt to your own SIEM. Mitigationsreduce exposure so the technique is harder to use at all - prevent, not just detect. Actors / Attributionwho actually uses this, so you prioritise by your own threat model. Attack Path / LOTLwhat attackers do before and after this step, and the legitimate tools they abuse to do it.

Where this fits: you usually arrive here from a CVE (“which techniques does it enable”) and leave with a tested detection deployed. The buttons above jump straight to building one, the deployable rules, the CVEs that use T1209, and a hunt package.

◈

Detection Coverage

0/9 layers

Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).

Behavioral / log (Sigma) none

Analytics (MITRE CAR) none

Runtime / container (Falco) none

File / malware (YARA) none

Network (Suricata/Snort) none

Vuln scan (Nuclei) none

SIEM (Splunk ESCU) none

SIEM (Elastic) none

SIEM (Azure Sentinel) none

External lookups - second-class, for what we don’t hold ourselves

MITRE ATT&CK Atomic Red Team car (MITRE)