.. /
Tttracer.exe
Used by Windows 1809 and newer to Debug Time Travel
Paths:
- C:\Windows\System32\tttracer.exe
- C:\Windows\SysWOW64\tttracer.exe
Resources:
https://twitter.com/oulusoyum/status/1191329746069655553
https://twitter.com/mattifestation/status/1196390321783025666
https://lists.samba.org/archive/cifs-protocol/2016-April/002877.html
Acknowledgement:
Onur Ulusoy - @oulusoyum
Matt Graeber - @mattifestation
Detection:
Parent child relationship. Tttracer parent for executed command
Execute
Execute calc using tttracer.exe. Requires administrator privileges
tttracer.exe C:\windows\system32\calc.exe
Usecase:Spawn process using other binary
Privileges required:Administrator
OS:Windows 10 1809 and newer
Mitre:T1218
Dump
Dumps process using tttracer.exe. Requires administrator privileges
TTTracer.exe -dumpFull -attach pid
Usecase:Dump process by PID
Privileges required:Administrator
OS:Windows 10 1809 and newer
Mitre:T1003