Use of TTDInject.exe
Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)
Sigma rule (View on GitHub)
1title: Use of TTDInject.exe
2id: b27077d6-23e6-45d2-81a0-e2b356eea5fd
3status: test
4description: Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/
7author: frack113
8date: 2022/05/16
9tags:
10 - attack.defense_evasion
11 - attack.t1127
12logsource:
13 product: windows
14 category: process_creation
15detection:
16 selection:
17 - Image|endswith: 'ttdinject.exe'
18 - OriginalFileName: 'TTDInject.EXE'
19 condition: selection
20falsepositives:
21 - Legitimate use
22level: medium
References
-
Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. TTDInject.exe /ClientP...
Read More
Related rules
- Ilasm Lolbin Use Compile C-Sharp
- JSC Convert Javascript To Executable
- Kavremover Dropped Binary LOLBIN Usage
- Node Process Executions
- Remote Thread Creation Ttdinject.exe Proxy