LOLBAS/yml/OSBinaries/Ttdinject.yml

---
Name: Ttdinject.exe
Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)
Author: 'Maxime Nadeau'
Created: 2020-05-12
Commands:
  - Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"
    Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
    Usecase: Spawn process using other binary
    Category: Execute
    Privileges: Administrator
    MitreID: T1127
    OperatingSystem: Windows 10 2004 and above, Windows 11
    Tags:
      - Execute: EXE
  - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"
    Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
    Usecase: Spawn process using other binary
    Category: Execute
    Privileges: Administrator
    MitreID: T1127
    OperatingSystem: Windows 10 1909 and below
    Tags:
      - Execute: EXE
Full_Path:
  - Path: C:\Windows\System32\ttdinject.exe
  - Path: C:\Windows\Syswow64\ttdinject.exe
Code_Sample:
  - Code:
Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml
  - IOC: Parent child relationship. Ttdinject.exe parent for executed command
  - IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process
Resources:
  - Link: https://twitter.com/Oddvarmoe/status/1196333160470138880
Acknowledgement:
  - Person: Oddvar Moe
    Handle: '@oddvarmoe'
  - Person: Maxime Nadeau
    Handle: '@m_nad0'
Added ttdinject.exe 2020-05-12 22:24:49 +02:00			`---`
Changed capitalization inside file 2020-08-24 09:34:56 +02:00			`Name: Ttdinject.exe`
Added ttdinject.exe 2020-05-12 22:24:49 +02:00			`Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)`
			`Author: 'Maxime Nadeau'`
Standardise date formats (see https://yaml.org/type/timestamp.html) 2021-01-10 16:04:52 +01:00			`Created: 2020-05-12`
Added ttdinject.exe 2020-05-12 22:24:49 +02:00			`Commands:`
Added a Windows 10 2004 version 2020-07-03 22:59:53 +02:00			`- Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"`
			`Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.`
			`Usecase: Spawn process using other binary`
			`Category: Execute`
			`Privileges: Administrator`
More changes (mainly changing generic T1218 to dev-specific T1127) 2021-11-05 21:06:57 +01:00			`MitreID: T1127`
Adding Windows 11 reference to missed-out executables 2021-12-14 17:57:56 +01:00			`OperatingSystem: Windows 10 2004 and above, Windows 11`
Update Ttdinject.yml Tags: 2024-10-13 17:15:47 +02:00			`Tags:`
Correct identation 2024-10-13 17:57:36 +02:00			`- Execute: EXE`
Added ttdinject.exe 2020-05-12 22:24:49 +02:00			`- Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"`
			`Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.`
			`Usecase: Spawn process using other binary`
			`Category: Execute`
			`Privileges: Administrator`
More changes (mainly changing generic T1218 to dev-specific T1127) 2021-11-05 21:06:57 +01:00			`MitreID: T1127`
Adding Windows 11 reference to missed-out executables 2021-12-14 17:57:56 +01:00			`OperatingSystem: Windows 10 1909 and below`
Update Ttdinject.yml Tags: 2024-10-13 17:15:47 +02:00			`Tags:`
Correct identation 2024-10-13 17:57:36 +02:00			`- Execute: EXE`
Added ttdinject.exe 2020-05-12 22:24:49 +02:00			`Full_Path:`
			`- Path: C:\Windows\System32\ttdinject.exe`
			`- Path: C:\Windows\Syswow64\ttdinject.exe`
Standardise date formats (see https://yaml.org/type/timestamp.html) 2021-01-10 16:04:52 +01:00			`Code_Sample:`
			`- Code:`
			`Detection:`
$frack113$ Update old sigma link (#303) * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --------- Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> 2023-10-18 17:30:34 +02:00			`- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml`
$frack113$ Adding various Sigma references (#213) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2022-05-17 10:18:45 +02:00			`- Sigma: https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml`
Added the IOCs 2020-05-12 22:40:49 +02:00			`- IOC: Parent child relationship. Ttdinject.exe parent for executed command`
			`- IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process`
Added ttdinject.exe 2020-05-12 22:24:49 +02:00			`Resources:`
			`- Link: https://twitter.com/Oddvarmoe/status/1196333160470138880`
			`Acknowledgement:`
			`- Person: Oddvar Moe`
Adjusted missing ticks in Acknowledgement 2020-08-24 09:28:38 +02:00			`Handle: '@oddvarmoe'`
Added ttdinject.exe 2020-05-12 22:24:49 +02:00			`- Person: Maxime Nadeau`
Adjusted missing ticks in Acknowledgement 2020-08-24 09:28:38 +02:00			`Handle: '@m_nad0'`