From e09cf1066f4d9c0dd682df03ad978d6a196775a9 Mon Sep 17 00:00:00 2001
From: TAbdiukov <TAbdiukov@gmail.com>
Date: Sun, 18 Aug 2024 07:02:55 +1000
Subject: [PATCH] Add Diantz directives/DDF entry to diantz.exe  (#390)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 yml/OSBinaries/Diantz.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/yml/OSBinaries/Diantz.yml b/yml/OSBinaries/Diantz.yml
index 74ff612..832b996 100644
--- a/yml/OSBinaries/Diantz.yml
+++ b/yml/OSBinaries/Diantz.yml
@@ -1,7 +1,7 @@
 ---
 Name: Diantz.exe
 Description: Binary that package existing files into a cabinet (.cab) file
-Author: 'Tamir Yehuda'
+Author: Tamir Yehuda
 Created: 2020-08-08
 Commands:
   - Command: diantz.exe c:\pathToFile\file.exe c:\destinationFolder\targetFile.txt:targetFile.cab
@@ -22,6 +22,15 @@ Commands:
     OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019
     Tags:
       - Type: Compression
+  - Command: diantz /f directives.ddf
+    Description: Execute diantz directives as defined in the specified Diamond Definition File (.ddf); see resources for the format specification.
+    Usecase: Bypass command-line based detections
+    Category: Execute
+    Privileges: User
+    MitreID: T1036
+    OperatingSystem: Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019
+    Tags:
+      - Type: Compression
 Full_Path:
   - Path: c:\windows\system32\diantz.exe
   - Path: c:\windows\syswow64\diantz.exe
@@ -34,6 +43,7 @@ Detection:
   - IOC: diantz getting a file from a remote machine or the internet.
 Resources:
   - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz
+  - Link: https://ss64.com/nt/makecab-directives.html
 Acknowledgement:
   - Person: Tamir Yehuda
     Handle: '@tim8288'