public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-11-04 02:29:34 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #66 from GoSecure/gosecure/ttdinject

Browse Source 
Added proxy execution for ttdinject.exe
This commit is contained in:
Oddvar Moe
2020-08-24 09:25:29 +02:00
committed by GitHub
parent 8cf6ef53fb 640e7f2d65
commit 84a6cd8e85
1 changed files with 38 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
yml/OSBinaries/Ttdinject.yml Normal file
View File

@@ -0,0 +1,38 @@
---
Name: ttdinject.exe
Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)
Author: 'Maxime Nadeau'
Created: '2020-05-12'
Commands:
- Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"
Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
Usecase: Spawn process using other binary
Category: Execute
Privileges: Administrator
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10 2004
- Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"
Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
Usecase: Spawn process using other binary
Category: Execute
Privileges: Administrator
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10 1909
Full_Path:
- Path: C:\Windows\System32\ttdinject.exe
- Path: C:\Windows\Syswow64\ttdinject.exe
Code_Sample:
- Code:
Detection:
- IOC: Parent child relationship. Ttdinject.exe parent for executed command
- IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process
Resources:
- Link: https://twitter.com/Oddvarmoe/status/1196333160470138880
Acknowledgement:
- Person: Oddvar Moe
Handle: @oddvarmoe
- Person: Maxime Nadeau
Handle: @m_nad0
---