From b95fb7ed2725e86606431eeaa14321576a768ba7 Mon Sep 17 00:00:00 2001
From: Maxime Nadeau <maxime.nadeau@outlook.com>
Date: Tue, 12 May 2020 16:40:49 -0400
Subject: [PATCH] Added the IOCs

---
 yml/OSBinaries/Ttdinject.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml
index 086e077..23630e8 100644
--- a/yml/OSBinaries/Ttdinject.yml
+++ b/yml/OSBinaries/Ttdinject.yml
@@ -18,8 +18,8 @@ Full_Path:
 Code_Sample: 
   - Code: 
 Detection: 
-  - IOC: Event ID 10
-  - IOC: binary.exe spawned
+  - IOC: Parent child relationship. Ttdinject.exe parent for executed command
+  - IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process
 Resources:
   - Link: https://twitter.com/Oddvarmoe/status/1196333160470138880
 Acknowledgement: