Detectionhightest

Remote Thread Creation Ttdinject.exe Proxy

Detects a remote thread creation of Ttdinject.exe used as proxy

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

François HubautCreated Mon May 16Updated Thu Jun 02c15e99a3-c474-48ab-b9a7-84549a7a9d16windows

Log Source

WindowsRemote Thread Creation

ProductWindows← raw: windows

CategoryRemote Thread Creation← raw: create_remote_thread

Detection Logic

detection:
    selection:
        SourceImage|endswith: '\ttdinject.exe'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

c15e99a3-c474-48ab-b9a7-84549a7a9d16

Status

test

Level

high

Type

Detection

Created

Mon May 16

Modified

Thu Jun 02

Author

Path

rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml

Raw Tags

attack.defense-evasionattack.t1127