Suspicious Diantz Alternate Data Stream Execution

 1title: Suspicious Diantz Alternate Data Stream Execution
 2id: 6b369ced-4b1d-48f1-b427-fdc0de0790bd
 3status: test
 4description: Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Diantz/
 7author: frack113
 8date: 2021/11/26
 9modified: 2022/12/31
10tags:
11    - attack.defense_evasion
12    - attack.t1564.004
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        CommandLine|contains|all:
19            - diantz.exe
20            - .cab
21        CommandLine|re: ':[^\\]'
22    condition: selection
23falsepositives:
24    - Very Possible
25level: medium

References

• Diantz | LOLBAS

  Type: Compression This LOLBAS involves (de)compression of one or more files.

  
  Read More

Related rules

• Exports Registry Key To an Alternate Data Stream
• Decode Base64 Encoded Text
• ISO, VHD, LNK or IMG File Extracted from Zip (Sysmon)
• Web Browser Creates Zip Archive File (Sysmon)
• UAC Bypass With Fake DLL