Remote Thread Creation Ttdinject.exe Proxy
Detects a remote thread creation of Ttdinject.exe used as proxy
Sigma rule (View on GitHub)
1title: Remote Thread Creation Ttdinject.exe Proxy
2id: c15e99a3-c474-48ab-b9a7-84549a7a9d16
3status: test
4description: Detects a remote thread creation of Ttdinject.exe used as proxy
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/
7author: frack113
8date: 2022-05-16
9modified: 2022-06-02
10tags:
11 - attack.defense-evasion
12 - attack.t1127
13logsource:
14 product: windows
15 category: create_remote_thread
16detection:
17 selection:
18 SourceImage|endswith: '\ttdinject.exe'
19 condition: selection
20falsepositives:
21 - Unknown
22level: high
References
-
Ttdinject.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- AspNetCompiler Execution
- C# IL Code Compilation Via Ilasm.EXE
- Detection of PowerShell Execution via Sqlps.exe
- JScript Compiler Execution
- Kavremover Dropped Binary LOLBIN Usage