~/Privilege Escalation/Windows/Binaries# cat Tttracer.exe.md █
Used by Windows 1809 and newer to Debug Time Travel
Paths:
C:\Windows\System32\tttracer.exe
C:\Windows\SysWOW64\tttracer.exe
Detection: Parent child relationship. Tttracer parent for executed command
Execute
Execute calc using tttracer.exe. Requires administrator privileges
tttracer.exe C:\windows\system32\calc.exe
Dump
Dumps process using tttracer.exe. Requires administrator privileges
TTTracer.exe -dumpFull -attach pid