From bdb6997cd51548fe1065b3bc37f495f1382e1483 Mon Sep 17 00:00:00 2001
From: jtothej <jakubjozwiak@google.com>
Date: Sat, 1 Jun 2024 12:14:24 +0800
Subject: [PATCH] Add new rule act-as-time-provider-dll.yml

---
 persistence/act-as-time-provider-dll.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 persistence/act-as-time-provider-dll.yml

diff --git a/persistence/act-as-time-provider-dll.yml b/persistence/act-as-time-provider-dll.yml
new file mode 100644
index 00000000..ec76ccb9
--- /dev/null
+++ b/persistence/act-as-time-provider-dll.yml
@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: act as Time Provider DLL
+    namespace: persistence
+    authors:
+      - jakub.jozwiak@mandiant.com
+    scopes:
+      static: file
+      dynamic: file
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution::Time Providers [T1547.003]
+    references:
+      - https://learn.microsoft.com/en-gb/windows/win32/sysinfo/creating-a-time-provider
+    examples:
+      - d68ce802ef22a1bafc00c2e6675959f177ce8aed91003a053ac0c888bec42c54
+  features:
+    - or:
+      - export: TimeProvClose
+      - export: TimeProvCommand
+      - export: TimeProvOpen