~/Privilege Escalation/Windows/Binaries# cat Ttdinject.exe.md

Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)

Paths:

C:\Windows\System32\ttdinject.exe
C:\Windows\Syswow64\ttdinject.exe

Detection: Parent child relationship. Ttdinject.exe parent for executed command Multiple queries made to the IFEO registry key of an untrusted executable (Ex. “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe”) from the ttdinject.exe process

Execute

Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.

TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"

Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.

ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"