This rule is designed to detect the utilization of the Time Travel Debugging Utility (TTD), specifically by monitoring the loading of TTD-related dynamic link libraries (DLLs). Adversaries may employ TTD as a mechanism for executing malicious actions, such as dumping sensitive processes including lsass.exe, using tools like tttracer.exe. The detection logic focuses on the image load events that end with the specific DLLs associated with TTD: \ttdrecord.dll, \ttdwriter.dll, and \ttdloader.dll. A higher alert level is set to indicate the potentially dangerous nature of these actions, given the utility’s capability to exploit debugging features for credential access. False positives may arise from legitimate actions by software developers or testers utilizing the Time Travel Debugging Utility. The rule serves as a critical safeguard in a Windows environment where the integrity of processes, especially those bearing sensitive information, is paramount.