← Library
sigmaDRL-1.1from SigmaHQ/sigma

Use of TTDInject.exe

Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1127
Rule sourcerules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml
title: Use of TTDInject.exe
id: b27077d6-23e6-45d2-81a0-e2b356eea5fd
status: test
description: Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/
author: frack113
date: 2022-05-16
tags:
    - attack.defense-evasion
    - attack.t1127
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - Image|endswith: 'ttdinject.exe'
        - OriginalFileName: 'TTDInject.EXE'
    condition: selection
falsepositives:
    - Legitimate use
level: medium