DET0122: Detect Abuse of Windows Time Providers for Persistence
DET0122 matters because it points defenders at a persistence pattern tied to Windows Time Providers: adversaries may abuse W32Time time provider DLL regist...
Analyst context for executives and security teams
DET0122 matters because it points defenders at a persistence pattern tied to Windows Time Providers: adversaries may abuse W32Time time provider DLL registration so code runs when the system boots. For leaders, the business issue is not time synchronization itself, but whether a trusted Windows service path can become an overlooked persistence and privilege-escalation foothold that survives reboots and complicates incident recovery.
Executive priority
Prioritize this as a Windows persistence validation item where operational resilience, domain infrastructure hygiene, and incident recovery confidence are important. Security leaders should ask whether SOC and IR teams can prove they monitor changes to Windows Time service provider configuration and related DLL loading behavior, and whether recovery playbooks include checks for boot-time persistence mechanisms before declaring hosts clean.
Technical view
The supplied ATT&CK object is a detection strategy with no official detection text, but it is related to ATT&CK technique T1547.003, Time Providers, under persistence and privilege-escalation on Windows. SOC and detection teams should validate telemetry around Windows Time service activity, registry changes for time provider registration locations, service start or boot-time behavior, and DLL load events associated with W32Time. IR teams should include this persistence location in host triage when investigating suspicious reboot-surviving execution or privilege-escalation paths.
Likely telemetry
- Windows registry modification events related to W32Time time provider configuration
- Windows Time service configuration and start activity
- DLL load telemetry for the Windows Time service process context
- Endpoint detection and response host activity records
- System boot and service initialization logs
Detection direction
- Confirm whether registry auditing or endpoint telemetry captures changes to Windows Time Provider registration locations; absence of this telemetry is a likely blind spot.
- Baseline expected W32Time provider configuration on representative Windows systems, then alert on unexpected provider additions or changed DLL paths.
- Correlate time provider configuration changes with subsequent service start, reboot, or DLL load activity to reduce noise.
- Treat administrative configuration changes carefully: legitimate time synchronization maintenance may produce related events, so detections should account for approved change windows and known provider values.
- Use the relationship to T1547.003 to place alerts in a persistence and privilege-escalation investigation workflow rather than treating them as isolated configuration drift.
Mitigation priorities
- Establish and document approved Windows Time Provider configurations for managed Windows assets.
- Restrict and monitor administrative access capable of changing service and registry configuration relevant to W32Time.
- Ensure endpoint logging or EDR coverage includes registry changes, service activity, and DLL load visibility needed to investigate this technique.
- Add Time Providers checks to incident response persistence review procedures before system restoration or case closure.
- Use configuration management or compliance evidence to verify that unauthorized provider entries are not present across critical Windows systems.
Analyst notes and limits
This take is based on the detection strategy identifier DET0122 and its relationship to ATT&CK technique T1547.003, Time Providers. The relationship supplies the practical context: Windows, persistence, privilege-escalation, W32Time, and DLL-based time providers registered through registry subkeys. Because the DET0122 object itself has no official description or detection text, local baselines and telemetry validation are essential.
The supplied DET0122 fields do not include official detection logic, platforms, tactics, or a detailed description. The related technique description is partial, so this summary avoids naming exact registry paths or providing procedural abuse instructions. No claim is made about active exploitation, attribution, or existing detection coverage.
Detect Abuse of Windows Time Providers for Persistence
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.003 | Time Providers Sub-technique | This object detects Time Providers. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 01a077537cdf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0122Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.