From 5de8d357b6d5419457ee312ad5a74e1cdace864a Mon Sep 17 00:00:00 2001
From: Maxime Nadeau <maxime.nadeau@outlook.com>
Date: Tue, 12 May 2020 16:24:49 -0400
Subject: [PATCH 1/4] Added ttdinject.exe

---
 yml/OSBinaries/ttdinject.yml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 yml/OSBinaries/ttdinject.yml

diff --git a/yml/OSBinaries/ttdinject.yml b/yml/OSBinaries/ttdinject.yml
new file mode 100644
index 0000000..086e077
--- /dev/null
+++ b/yml/OSBinaries/ttdinject.yml
@@ -0,0 +1,30 @@
+---
+Name: ttdinject.exe
+Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)
+Author: 'Maxime Nadeau'
+Created: '2020-05-12'
+Commands:
+  - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"
+    Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
+    Usecase: Spawn process using other binary
+    Category: Execute
+    Privileges: Administrator
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 10 1809 and newer
+Full_Path:
+  - Path: C:\Windows\System32\ttdinject.exe
+  - Path: C:\Windows\Syswow64\ttdinject.exe
+Code_Sample: 
+  - Code: 
+Detection: 
+  - IOC: Event ID 10
+  - IOC: binary.exe spawned
+Resources:
+  - Link: https://twitter.com/Oddvarmoe/status/1196333160470138880
+Acknowledgement:
+  - Person: Oddvar Moe
+    Handle: @oddvarmoe
+  - Person: Maxime Nadeau
+    Handle: @m_nad0
+---

From b8b265b397c86942b9a3530580c849cbd7d4d7bb Mon Sep 17 00:00:00 2001
From: Maxime Nadeau <maxime.nadeau@outlook.com>
Date: Tue, 12 May 2020 16:31:47 -0400
Subject: [PATCH 2/4] Added ttdinject

---
 yml/OSBinaries/{ttdinject.yml => Ttdinject.yml} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename yml/OSBinaries/{ttdinject.yml => Ttdinject.yml} (100%)

diff --git a/yml/OSBinaries/ttdinject.yml b/yml/OSBinaries/Ttdinject.yml
similarity index 100%
rename from yml/OSBinaries/ttdinject.yml
rename to yml/OSBinaries/Ttdinject.yml

From b95fb7ed2725e86606431eeaa14321576a768ba7 Mon Sep 17 00:00:00 2001
From: Maxime Nadeau <maxime.nadeau@outlook.com>
Date: Tue, 12 May 2020 16:40:49 -0400
Subject: [PATCH 3/4] Added the IOCs

---
 yml/OSBinaries/Ttdinject.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml
index 086e077..23630e8 100644
--- a/yml/OSBinaries/Ttdinject.yml
+++ b/yml/OSBinaries/Ttdinject.yml
@@ -18,8 +18,8 @@ Full_Path:
 Code_Sample: 
   - Code: 
 Detection: 
-  - IOC: Event ID 10
-  - IOC: binary.exe spawned
+  - IOC: Parent child relationship. Ttdinject.exe parent for executed command
+  - IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process
 Resources:
   - Link: https://twitter.com/Oddvarmoe/status/1196333160470138880
 Acknowledgement:

From 640e7f2d65dc1fa90462b7390fbbe98cfa8b881e Mon Sep 17 00:00:00 2001
From: Maxime Nadeau <maxime.nadeau@outlook.com>
Date: Fri, 3 Jul 2020 16:59:53 -0400
Subject: [PATCH 4/4] Added a Windows 10 2004 version

---
 yml/OSBinaries/Ttdinject.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml
index 23630e8..b208c85 100644
--- a/yml/OSBinaries/Ttdinject.yml
+++ b/yml/OSBinaries/Ttdinject.yml
@@ -4,6 +4,14 @@ Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying cal
 Author: 'Maxime Nadeau'
 Created: '2020-05-12'
 Commands:
+  - Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"
+    Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
+    Usecase: Spawn process using other binary
+    Category: Execute
+    Privileges: Administrator
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 10 2004
   - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"
     Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.
     Usecase: Spawn process using other binary
@@ -11,7 +19,7 @@ Commands:
     Privileges: Administrator
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
-    OperatingSystem: Windows 10 1809 and newer
+    OperatingSystem: Windows 10 1909
 Full_Path:
   - Path: C:\Windows\System32\ttdinject.exe
   - Path: C:\Windows\Syswow64\ttdinject.exe