AN0341: Analytic 0341
Behavioral correlation of privileged registry key creation under the W32Time TimeProviders path combined with a new DLL written to disk and potential process activity by LocalService. Indicates abuse of Time Providers for persistence.
Analyst context for executives and security teams
AN0341 is a Windows detection analytic focused on a persistence pattern: suspicious creation of privileged registry keys under the W32Time TimeProviders path, paired with a newly written DLL and possible activity by LocalService. For leaders, the value is not just detecting a registry change; it is validating whether the organization can correlate registry, file, and process evidence quickly enough to identify stealthy persistence before it becomes a longer incident-response problem.
Executive priority
Prioritize this analytic where Windows systems support critical business operations or privileged service activity is material to audit and resilience requirements. The business question is whether SOC and IR teams can prove they monitor persistence-relevant registry paths, newly introduced DLLs, and LocalService-associated process activity together, not as isolated alerts. This supports control assurance, incident scoping, and readiness evidence without assuming this analytic alone provides complete coverage.
Technical view
Validate telemetry and correlation for Windows events involving privileged registry key creation under the W32Time TimeProviders path, newly written DLL files, and possible process activity by LocalService. Because no official detection logic is supplied, teams should treat AN0341 as a behavioral correlation requirement rather than a turnkey rule. Tune around expected Windows Time service or administrative activity, and require multi-signal context to reduce noise from benign configuration or maintenance changes.
Likely telemetry
- Windows registry creation or modification events for W32Time TimeProviders-related paths
- File creation telemetry for newly written DLLs
- Process execution or process activity telemetry involving LocalService context
- Host-based security logs or EDR telemetry capable of correlating registry, file, and process activity
- Asset and change-management context for authorized Windows Time service configuration changes
Detection direction
- Confirm collection coverage for registry, file, and process telemetry on Windows endpoints where this persistence path is relevant.
- Correlate privileged registry key creation under the W32Time TimeProviders path with a newly written DLL instead of alerting on one signal alone.
- Review LocalService-associated process activity in temporal proximity to the registry and DLL events.
- Establish known-good baselines for legitimate Windows Time Provider configuration to reduce false positives.
- Document blind spots where registry auditing, DLL file creation visibility, or service-context process telemetry is missing.
Mitigation priorities
- Restrict and monitor privileged changes to Windows service and registry configuration areas relevant to Time Providers.
- Ensure endpoint logging or EDR policies capture registry key creation, DLL writes, and process activity needed for correlation.
- Use change-management records to distinguish approved time-service configuration changes from unexpected persistence indicators.
- Include this behavior in incident-response triage playbooks for Windows persistence investigation.
- Periodically test whether SOC workflows can connect the registry, file, and LocalService activity into a single case.
Analyst notes and limits
This object is a detection analytic, not a technique description. The supplied ATT&CK content identifies the Windows platform and the behavior to correlate, but it does not provide tactics, official detection logic, related techniques, procedures, or adversary relationships. The strongest use is as a coverage-validation prompt for managed detection, IR readiness, and Windows persistence monitoring.
No official detection query, relationship context, tactic mapping, adversary usage, or mitigation text was supplied. Local baselines are required to determine which W32Time TimeProviders changes are normal, which DLL writes are authorized, and whether LocalService activity is suspicious in a given environment.
Analytic 0341
Behavioral correlation of privileged registry key creation under the W32Time TimeProviders path combined with a new DLL written to disk and potential process activity by LocalService. Indicates abuse of Time Providers for persistence.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 87c6c17594b9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0341Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.