Time Travel Debugging Utility Usage

Aug 12, 2024 · attack.defense-evasion attack.credential-access attack.t1218 attack.t1003.001 ·

Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.

Sigma rule (View on GitHub)

 1title: Time Travel Debugging Utility Usage
 2id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
 3related:
 4    - id: e76c8240-d68f-4773-8880-5c6f63595aaf
 5      type: derived
 6status: test
 7description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
 8references:
 9    - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
10    - https://twitter.com/mattifestation/status/1196390321783025666
11    - https://twitter.com/oulusoyum/status/1191329746069655553
12author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
13date: 2020-10-06
14modified: 2022-10-09
15tags:
16    - attack.defense-evasion
17    - attack.credential-access
18    - attack.t1218
19    - attack.t1003.001
20logsource:
21    product: windows
22    category: process_creation
23detection:
24    selection:
25        ParentImage|endswith: '\tttracer.exe'
26    condition: selection
27falsepositives:
28    - Legitimate usage by software developers/testers
29level: high

References

Tttracer on LOLBAS

Tttracer.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

Read More
x.com

Read More
x.com

Read More

Time Travel Debugging Utility Usage

Sigma rule (View on GitHub)

References

Tttracer on LOLBAS

x.com

x.com

Related rules