sigmamediumHunting

Use of TTDInject.exe

Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)

MITRE ATT&CK

T1127

defense-evasion

Detection Query

selection:
  - Image|endswith: ttdinject.exe
  - OriginalFileName: TTDInject.EXE
condition: selection

Author

frack113

Created

2022-05-16

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/

Tags

attack.defense-evasionattack.t1127

Raw Content

title: Use of TTDInject.exe
id: b27077d6-23e6-45d2-81a0-e2b356eea5fd
status: test
description: Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/
author: frack113
date: 2022-05-16
tags:
    - attack.defense-evasion
    - attack.t1127
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - Image|endswith: 'ttdinject.exe'
        - OriginalFileName: 'TTDInject.EXE'
    condition: selection
falsepositives:
    - Legitimate use
level: medium