Techniques
Sample rules
Time Travel Debugging Utility Usage
- source: sigma
- technicques:
- t1003
- t1003.001
- t1218
Description
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Detection logic
condition: selection
selection:
ParentImage|endswith: \tttracer.exe
Time Travel Debugging Utility Usage - Image
- source: sigma
- technicques:
- t1003
- t1003.001
- t1218
Description
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Detection logic
condition: selection
selection:
ImageLoaded|endswith:
- \ttdrecord.dll
- \ttdwriter.dll
- \ttdloader.dll