Suspicious Diantz Alternate Data Stream Execution
Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
Sigma rule (View on GitHub)
1title: Suspicious Diantz Alternate Data Stream Execution
2id: 6b369ced-4b1d-48f1-b427-fdc0de0790bd
3status: test
4description: Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Diantz/
7author: frack113
8date: 2021-11-26
9modified: 2022-12-31
10tags:
11 - attack.defense-evasion
12 - attack.t1564.004
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains|all:
19 - diantz.exe
20 - .cab
21 CommandLine|re: ':[^\\]'
22 condition: selection
23falsepositives:
24 - Very Possible
25level: medium
References
Related rules
- Execute From Alternate Data Streams
- Exports Registry Key To an Alternate Data Stream
- HackTool Named File Stream Created
- Hidden Executable In NTFS Alternate Data Stream
- Insensitive Subfolder Search Via Findstr.EXE