The detection of tttracer.exe executing in an environment may indicate adversaries leveraging Time Travel Debugging to exfiltrate sensitive data like lsass.exe. SOC teams should proactively hunt for this behavior in Azure Sentinel as it is a high-severity technique used to dump memory and evade traditional detection mechanisms.
Detection Rule
title: Time Travel Debugging Utility Usage - Image
id: e76c8240-d68f-4773-8880-5c6f63595aaf
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
- https://twitter.com/mattifestation/status/1196390321783025666
- https://twitter.com/oulusoyum/status/1191329746069655553
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-06
modified: 2022-12-02
tags:
- attack.defense-evasion
- attack.credential-access
- attack.t1218
- attack.t1003.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith:
- '\ttdrecord.dll'
- '\ttdwriter.dll'
- '\ttdloader.dll'
condition: selection
falsepositives:
- Legitimate usage by software developers/testers
level: high
DeviceImageLoadEvents
| where FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\ttdwriter.dll" or FolderPath endswith "\\ttdloader.dll"Scenario: Legitimate Debugging Session with tttracer.exe
Description: A developer is using tttracer.exe to debug a legitimate application or service, such as a custom in-house application or a third-party tool.
Filter/Exclusion: Check the process command line for known developer tools or internal application names. Example filter: process.name == "tttracer.exe" and process.args contains "debug" or "internal_app_name"
Scenario: Scheduled System Maintenance Task
Description: A scheduled task is configured to run tttracer.exe as part of a routine system maintenance or diagnostic process.
Filter/Exclusion: Filter by task name or user context. Example filter: process.name == "tttracer.exe" and user == "SYSTEM" or task_name contains "ScheduledMaintenance"
Scenario: Admin Debugging of lsass.exe for Security Purposes
Description: A security administrator is using tttracer.exe to debug lsass.exe as part of a legitimate security investigation or incident response.
Filter/Exclusion: Check for administrative context and presence of security tools. Example filter: process.name == "tttracer.exe" and process.parent.name == "explorer.exe" and user == "Administrator"
Scenario: Integration with Debugging Tools in Development Environment
Description: A development environment includes tttracer.exe as part of an integrated debugging setup, such as with Visual Studio or another IDE.
Filter/Exclusion: Filter by process parent or known development tools. Example filter: process.name == "tttracer.exe" and process.parent.name contains "devenv.exe" or "VisualStudio"
Scenario: Use of tttracer.exe for Performance Monitoring
Description: A system administrator is using tttracer.exe to monitor or analyze the performance of a critical service or application.