Skip to content

Hide Navigation Hide TOC

New TimeProviders Registered With Uncommon DLL Name (e88a6ddc-74f7-463b-9b26-f69fc0d2ce85)

Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.

Cluster A Galaxy A Cluster B Galaxy B Level
New TimeProviders Registered With Uncommon DLL Name (e88a6ddc-74f7-463b-9b26-f69fc0d2ce85) Sigma-Rules Time Providers - T1547.003 (61afc315-860c-4364-825d-0d62b2e91edc) Attack Pattern 1
Time Providers - T1547.003 (61afc315-860c-4364-825d-0d62b2e91edc) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2