Remote Thread Creation Ttdinject.exe Proxy

Apr 28, 2026 · attack.execution attack.stealth attack.t1127 ·

Detects a remote thread creation of Ttdinject.exe used as proxy

Sigma rule (View on GitHub)

 1title: Remote Thread Creation Ttdinject.exe Proxy
 2id: c15e99a3-c474-48ab-b9a7-84549a7a9d16
 3status: test
 4description: Detects a remote thread creation of Ttdinject.exe used as proxy
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/
 7author: frack113
 8date: 2022-05-16
 9modified: 2022-06-02
10tags:
11    - attack.execution
12    - attack.stealth
13    - attack.t1127
14logsource:
15    product: windows
16    category: create_remote_thread
17detection:
18    selection:
19        SourceImage|endswith: '\ttdinject.exe'
20    condition: selection
21falsepositives:
22    - Unknown
23level: high

References

https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/

Read More

Related rules

AspNetCompiler Execution
C# IL Code Compilation Via Ilasm.EXE
Detection of PowerShell Execution via Sqlps.exe
JScript Compiler Execution
Kavremover Dropped Binary LOLBIN Usage