Time Travel Debugging Utility Usage

calendar Oct 9, 2022 · attack.defense_evasion attack.credential_access attack.t1218 attack.t1003.001  ·
Share on: linkedin copy

Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.

Sigma rule (View on GitHub)

 1title: Time Travel Debugging Utility Usage
 2id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
 3related:
 4    - id: e76c8240-d68f-4773-8880-5c6f63595aaf
 5      type: derived
 6status: test
 7description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
 8references:
 9    - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
10    - https://twitter.com/mattifestation/status/1196390321783025666
11    - https://twitter.com/oulusoyum/status/1191329746069655553
12author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
13date: 2020/10/06
14modified: 2022/10/09
15tags:
16    - attack.defense_evasion
17    - attack.credential_access
18    - attack.t1218
19    - attack.t1003.001
20logsource:
21    product: windows
22    category: process_creation
23detection:
24    selection:
25        ParentImage|endswith: '\tttracer.exe'
26    condition: selection
27falsepositives:
28    - Legitimate usage by software developers/testers
29level: high

References

  • Tttracer | LOLBAS

    Execute calc using tttracer.exe. Requires administrator privileges tttracer.exe C:\windows\system32\calc.exe Use caseSpawn process using other binary Privileges requiredAdministrator Operating syst...


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top