Time Providers

Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time provides are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.

Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\. The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.

The Windows Time Service (32Time) synchronizes the date and time for all computers running in Active Directory Domain Services (AD DS). Time synchronization is critical for the proper operation of many Windows services and line-of-business applications. The Windows Time service uses the Network Time Protocol (NTP) to synchronize computer clocks on the network. NTP ensures that an accurate clock value, or timestamp, can be assigned to network validation and resources access requests.

This approach requires Administrator Privileges as this resides in the System32 folder.

Will add a Registry Key that will call our malicious DLL File

Administrator Cmd:

There is an already Registered Key so I will just accept to overwrite the DLLs values.

We can view the Service with the sc.exe command and query the properties.

We see that it's currently running let us stop it and start the service back up again but this time we will be gaining a reverse shell from this technique.

Our Listener:

Service stopped and started:

Shell:

References:

https://pentestlab.blog/2019/10/22/persistence-time-providers/

https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-top

Last updated