security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update registry_set_timeproviders_dllname.yml

Browse Source
This commit is contained in:
Florian Roth
2022-06-21 16:32:21 +02:00
committed by GitHub
parent 2219910c43
commit aee4ebb01a
1 changed files with 2 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml
+2 -4
View File
@@ -2,9 +2,7 @@ title: Set TimeProviders DllName
id: e88a6ddc-74f7-463b-9b26-f69fc0d2ce85
status: experimental
description: |
Detects set DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider
Adversaries may abuse time providers to execute DLLs when the system boots.
The Windows Time service (W32Time) enables time synchronization across and within domains.
Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.
author: frack113
date: 2022/06/19
references:
@@ -26,4 +24,4 @@ level: high
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1547.003
- attack.t1547.003