From f9a7c42a85c512a773b936be1b2c7e59e341e072 Mon Sep 17 00:00:00 2001
From: Oddvar Moe <oddvar.moe@gmail.com>
Date: Tue, 5 Nov 2019 12:12:46 +0100
Subject: [PATCH] Added TTTracer.exe - Thanks Onur Ulusoy

---
 yml/OSBinaries/Tttracer.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 yml/OSBinaries/Tttracer.yml

diff --git a/yml/OSBinaries/Tttracer.yml b/yml/OSBinaries/Tttracer.yml
new file mode 100644
index 0000000..ee2cc79
--- /dev/null
+++ b/yml/OSBinaries/Tttracer.yml
@@ -0,0 +1,27 @@
+---
+Name: Tttracer.exe
+Description: Used by Windows 1809 and newer to Debug Time Travel
+Author: 'Oddvar Moe'
+Created: '2019-11-5'
+Commands:
+  - Command: tttracer.exe "C:\windows\system32\calc.exe"
+    Description: Execute calc using tttracer.exe. Requires administrator privileges
+    Usecase: Spawn process using other binary
+    Category: Execute
+    Privileges: Administrator
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 10 1809 and newer
+Full_Path:
+  - Path: C:\Windows\System32\tttracer.exe
+  - Path: C:\Windows\SysWOW64\tttracer.exe
+Code_Sample: 
+  - Code:
+Detection:
+  - IOC: Parent child relationship. Tttracer parent for executed command
+Resources:
+  - Link: https://twitter.com/oulusoyum/status/1191329746069655553
+Acknowledgement:
+  - Person: Onur Ulusoy
+    Handle: '@oulusoyum'
+---
\ No newline at end of file