T1547.003: Time Providers

Time Providers is a Windows persistence and privilege-escalation technique that abuses the Windows Time service’s provider model. Because W32Time can load registered provider DLLs at startup or when parameters change, an attacker with administrator-level ability to register a provider could cause code to run repeatedly in the Local Service context. For leaders, the significance is not time synchronization itself; it is that a trusted operating system service can become an autostart location that may be missed if persistence reviews focus only on common Run keys or services.

Executive priority

Prioritize this as a Windows resilience and audit-evidence issue where domain-joined systems, servers, or regulated endpoints depend on trustworthy baseline configuration. Security leaders should ask whether teams can prove who can modify W32Time TimeProviders registry keys, who can write DLLs in referenced locations, and whether SOC/IR playbooks include this less common autostart mechanism. This is most relevant to control validation, incident scoping, privileged-access governance, and persistence hunting rather than broad platform coverage beyond Windows.

Technical view

Validate Windows monitoring around the registry path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\ and its provider subkeys, especially creation or modification of provider configuration such as DllName and enabled state. IR teams should compare observed providers against known-good baselines and investigate unexpected DLL paths or recent changes. Because ATT&CK does not provide official detection text for this object, use the related detection strategy DET0122 as direction to build or assess detection logic for abuse of Windows Time Providers. Tie findings to the parent Boot or Logon Autostart Execution technique and treat suspicious changes as persistence evidence requiring endpoint triage.

Likely telemetry

Windows registry auditing or EDR telemetry for W32Time TimeProviders key and subkey creation/modification
File creation and modification telemetry for DLLs referenced by Time Provider registry values
Service control or system startup context showing Windows Time service activity
Endpoint process/module-load telemetry showing W32Time-related loading of provider DLLs where available
Administrative account activity associated with registry or file-system changes

Detection direction

Baseline legitimate W32Time provider subkeys and alert on new, renamed, or modified providers under the TimeProviders registry path.
Correlate TimeProviders registry changes with DLL file creation or modification, especially where the referenced DLL path is unusual for the local system baseline.
Tune for authorized administrative changes to Windows Time configuration to reduce false positives, but require change evidence for new provider DLL registrations.
Check for blind spots in registry telemetry: many environments collect process events but not detailed HKLM service-configuration changes.
Use the relationship to DET0122 as a validation target, while recognizing the ATT&CK object itself supplies no official detection procedure.

Mitigation priorities

Restrict registry permissions on the W32Time TimeProviders keys so only authorized administrators or processes can modify provider registrations.
Restrict file and directory permissions for locations that can host provider DLLs, limiting unauthorized write access.
Enforce least privilege for administrative access because ATT&CK notes administrator privileges are required for time provider registration.
Include W32Time provider settings in configuration baselines, compliance checks, and incident response persistence-review checklists.
During remediation, validate both the registry registration and the referenced DLL location rather than removing only one artifact.

Analyst notes and limits

This object is a Windows-only ATT&CK sub-technique under Boot or Logon Autostart Execution, mapped to persistence and privilege escalation. The key business value is confirming that defensive coverage includes obscure but legitimate autostart extension points, not just common startup folders, services, and Run keys. The revoked predecessor T1209 indicates this behavior has been reorganized into the current T1547.003 sub-technique.

The supplied ATT&CK fields do not include official detection text, procedure examples, impact claims, or attribution. Any assessment of exposure or detection coverage requires local endpoint telemetry, registry baselines, file permissions, and change-management evidence. This take does not claim active exploitation or guaranteed detection.

Official MITRE ATT&CK definition

Time Providers

Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.[1] W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.[2]

Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\`.[2] The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.[2]

Adversaries may abuse this architecture to establish persistence, specifically by creating a new arbitrarily named subkey pointing to a malicious DLL in the `DllName` value. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.[3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 2 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1209	Time Providers	Time Providers revoked by this object.
Enterprise	T1547	Boot or Logon Autostart Execution	This object subtechnique of Boot or Logon Autostart Execution.

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1024: Restrict Registry Permissions Enterprise detects · Detection Strategy DET0122: Detect Abuse of Windows Time Providers for Persistence Enterprise mitigates · Mitigation M1022: Restrict File and Directory Permissions Enterprise revoked by · Technique T1209: Time Providers Enterprise subtechnique of · Technique T1547: Boot or Logon Autostart Execution Enterprise

Mitigations

Mitigation direction

M1024: Restrict Registry Permissions

Restricting registry permissions involves configuring access control settings for sensitive registry keys and hives to ensure that only authorized users or processes can make modifications. By limiting access, organizations can prevent unauthorized changes that adversaries might use for persistence, privilege escalation, or defense evasion. This mitigation can be implemented through the following measures:

Review and Adjust Permissions on Critical Keys

- Regularly review permissions on keys such as `Run`, `RunOnce`, and `Services` to ensure only authorized users have write access. - Use tools like `icacls` or `PowerShell` to automate permission adjustments.

Enable Registry Auditing

- Enable auditing on sensitive keys to log access attempts. - Use Event Viewer or SIEM solutions to analyze logs and detect suspicious activity. - Example Audit Policy: `auditpol /set /subcategory:"Registry" /success:enable /failure:enable`

Protect Credential-Related Hives

- Limit access to hives like `SAM`,`SECURITY`, and `SYSTEM` to prevent credential dumping or other unauthorized access. - Use LSA Protection to add an additional security layer for credential storage.

Restrict Registry Editor Usage

- Use Group Policy to restrict access to regedit.exe for non-administrative users. - Block execution of registry editing tools on endpoints where they are unnecessary.

Deploy Baseline Configuration Tools

- Use tools like Microsoft Security Compliance Toolkit or CIS Benchmarks to apply and maintain secure registry configurations.

*Tools for Implementation*

Registry Permission Tools:

- Registry Editor (regedit): Built-in tool to manage registry permissions. - PowerShell: Automate permissions and manage keys. `Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "KeyName" -Value "Value"` - icacls: Command-line tool to modify ACLs.

Monitoring Tools:

- Sysmon: Monitor and log registry events. - Event Viewer: View registry access logs.

Policy Management Tools:

- Group Policy Management Console (GPMC): Enforce registry permissions via GPOs. - Microsoft Endpoint Manager: Deploy configuration baselines for registry permissions.

M1022: Restrict File and Directory Permissions

Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.

Enforce Least Privilege Permissions:

- Remove unnecessary write permissions on sensitive files and directories. - Use file ownership and groups to control access for specific roles.

Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs.

Harden File Shares:

- Disable anonymous access to shared folders. - Enforce NTFS permissions for shared folders on Windows.

Example: Set permissions to restrict write access to critical files, such as system executables (e.g., `/bin` or `/sbin` on Linux). Use tools like `chown` and `chmod` to assign file ownership and limit access.

On Linux, apply: `chmod 750 /etc/sensitive.conf` `chown root:admin /etc/sensitive.conf`

File Integrity Monitoring (FIM):

- Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.

Audit File System Access:

- Enable auditing to track permission changes or unauthorized access attempts. - Use auditd (Linux) or Event Viewer (Windows) to log activities.

Restrict Startup Directories:

- Configure permissions to prevent unauthorized writes to directories like `C:\ProgramData\Microsoft\Windows\Start Menu`.

Example: Restrict write access to critical directories like `/etc/`, `/usr/local/`, and Windows directories such as `C:\Windows\System32`.

- On Windows, use icacls to modify permissions: `icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F` - On Linux, monitor permissions using tools like `lsattr` or `auditd`.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: Jan 24, 2020, 15:51 UTC (UTC+00:00)
Modified: Oct 24, 2025, 17:48 UTC (UTC+00:00)
Raw hash: 0f86dc87134f6149...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.2	Oct 24, 2025, 17:48 UTC (UTC+00:00)	Current bundle	`0f86dc87134f…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Microsoft W32Time Feb 2018

Microsoft. (2018, February 1). Windows Time Service (W32Time). Retrieved March 26, 2018.
Open source URL
[2]
Microsoft TimeProvider

Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
Open source URL
[3]
Github W32Time Oct 2017

Lundgren, S. (2017, October 28). w32time. Retrieved March 26, 2018.
Open source URL
[4]
Microsoft W32Time May 2017

Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018.
Open source URL
[5]
TechNet Autoruns

Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.
Open source URL
[6]
mitre-attack T1547.003
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams