diff --git a/yml/OSBinaries/Diantz.yml b/yml/OSBinaries/Diantz.yml index 74ff612f..832b996b 100644 --- a/yml/OSBinaries/Diantz.yml +++ b/yml/OSBinaries/Diantz.yml @@ -1,7 +1,7 @@ --- Name: Diantz.exe Description: Binary that package existing files into a cabinet (.cab) file -Author: 'Tamir Yehuda' +Author: Tamir Yehuda Created: 2020-08-08 Commands: - Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab @@ -22,6 +22,15 @@ Commands: OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019 Tags: - Type: Compression + - Command: diantz /f directives.ddf + Description: Execute diantz directives as defined in the specified Diamond Definition File (.ddf); see resources for the format specification. + Usecase: Bypass command-line based detections + Category: Execute + Privileges: User + MitreID: T1036 + OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019 + Tags: + - Type: Compression Full_Path: - Path: c:\windows\system32\diantz.exe - Path: c:\windows\syswow64\diantz.exe @@ -34,6 +43,7 @@ Detection: - IOC: diantz getting a file from a remote machine or the internet. Resources: - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz + - Link: https://ss64.com/nt/makecab-directives.html Acknowledgement: - Person: Tamir Yehuda Handle: '@tim8288'