.. / Ttdinject.exe
Star

Execute

Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)

Paths:

C:\Windows\System32\ttdinject.exe
C:\Windows\Syswow64\ttdinject.exe

Resources:
https://twitter.com/Oddvarmoe/status/1196333160470138880

Acknowledgement:
Oddvar Moe - @oddvarmoe
Maxime Nadeau - @m_nad0

Detection:
Parent child relationship. Ttdinject.exe parent for executed command
Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process

Execute

Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.

TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"

Usecase:Spawn process using other binary
Privileges required:Administrator
OS:Windows 10 2004
Mitre:T1218

Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.

ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"

Usecase:Spawn process using other binary
Privileges required:Administrator
OS:Windows 10 1909
Mitre:T1218

.. / Ttdinject.exe Star

Execute

.. / Ttdinject.exe
Star