Diantz.exe

Binary that package existing files into a cabinet (.cab) file

Paths

• c:\windows\system32\diantz.exe
• c:\windows\syswow64\diantz.exe

Commands

ADS

Compress a file (first argument) into a CAB file stored in the Alternate Data Stream (ADS) of the target file.

Use case: Hide data compressed into an Alternate Data Stream.

Privileges: User

diantz.exe {PATH_ABSOLUTE:.exe} {PATH_ABSOLUTE}:targetFile.cab

Download

Download and compress a remote file and store it in a CAB file on local machine.

Use case: Download and compress into a cab file.

Privileges: User

diantz.exe {PATH_SMB:.exe} {PATH_ABSOLUTE:.cab}

Execute

Execute diantz directives as defined in the specified Diamond Definition File (.ddf); see resources for the format specification.

Use case: Bypass command-line based detections

Privileges: User

diantz /f {PATH:.ddf}

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml
• IOC: diantz storing data into alternate data streams.
• IOC: diantz getting a file from a remote machine or the internet.

Resources

• https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz
• https://ss64.com/nt/makecab-directives.html