Merge pull request #904 from jtothej/timeprovider

Add new rule act-as-time-provider-dll.yml
mandiant · Jun 1, 2024 · 4c2dec5 · 4c2dec5
2 parents b0b9da3 + bdb6997
commit 4c2dec5
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/persistence/act-as-time-provider-dll.yml b/persistence/act-as-time-provider-dll.yml
@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: act as Time Provider DLL
+    namespace: persistence
+    authors:
+      - [email protected]
+    scopes:
+      static: file
+      dynamic: file
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution::Time Providers [T1547.003]
+    references:
+      - https://learn.microsoft.com/en-gb/windows/win32/sysinfo/creating-a-time-provider
+    examples:
+      - d68ce802ef22a1bafc00c2e6675959f177ce8aed91003a053ac0c888bec42c54
+  features:
+    - or:
+      - export: TimeProvClose
+      - export: TimeProvCommand
+      - export: TimeProvOpen