This detection rule identifies modifications to the Windows Time Provider registry. Adversaries may exploit the Windows Time Provider architecture by registering a malicious DLL in the Time Provider service to achieve persistence on the system. When Windows starts, the W32Time service loads the w32time.dll file from the System32 folder and works with time providers for accurate timestamps. The rule monitors changes in specific registry paths related to Time Providers, targeting new DLL registrations. If suspicious DLLs are added, it may indicate a malicious attempt to create persistent access. The rule employs EQL (Event Query Language) to analyze registry events to identify such changes, ensuring a comprehensive threat detection mechanism against potential trust exploitations in the Windows ecosystem. The investigation process includes analyzing process execution, service details, and the integrity of DLL signatures, facilitating effective incident detection and response.