Suspicious Diantz Download and Compress Into a CAB File
Download and compress a remote file and store it in a cab file on local machine.
Sigma rule (View on GitHub)
1title: Suspicious Diantz Download and Compress Into a CAB File
2id: 185d7418-f250-42d0-b72e-0c8b70661e93
3status: test
4description: Download and compress a remote file and store it in a cab file on local machine.
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Diantz/
7author: frack113
8date: 2021/11/26
9modified: 2022/08/13
10tags:
11 - attack.command_and_control
12 - attack.t1105
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains|all:
19 - diantz.exe
20 - ' \\\\'
21 - '.cab'
22 condition: selection
23falsepositives:
24 - Unknown
25level: medium
References
Related rules
- Curl Usage on Linux
- Finger.exe Suspicious Invocation
- Password Protected ZIP File Opened (Suspicious Filenames)
- Potential Download/Upload Activity Using Type Command
- PrintBrm ZIP Creation of Extraction