{
	"id": "f6b61f7c-d316-4971-924d-271caee9020a",
	"created_at": "2026-04-06T00:13:17.63929Z",
	"updated_at": "2026-04-10T03:20:55.986523Z",
	"deleted_at": null,
	"sha1_hash": "ff38d0f27093d51d6d742abeef996eae99eebf62",
	"title": "Diantz on LOLBAS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49538,
	"plain_text": "Diantz on LOLBAS\r\nArchived: 2026-04-02 11:43:16 UTC\r\n.. /Diantz.exe\r\nBinary that package existing files into a cabinet (.cab) file\r\nPaths:\r\nc:\\windows\\system32\\diantz.exe\r\nc:\\windows\\syswow64\\diantz.exe\r\nResources:\r\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz\r\nhttps://ss64.com/nt/makecab-directives.html\r\nAcknowledgements:\r\nTamir Yehuda (@tim8288)\r\nHai Vaknin (@vakninhai)\r\nDetections:\r\nSigma: proc_creation_win_lolbin_diantz_ads.yml\r\nSigma: proc_creation_win_lolbin_diantz_remote_cab.yml\r\nIOC: diantz storing data into alternate data streams.\r\nIOC: diantz getting a file from a remote machine or the internet.\r\nAlternate data streams\r\n1. Compress a file (first argument) into a CAB file stored in the Alternate Data Stream (ADS) of the target\r\nfile.\r\ndiantz.exe C:\\Windows\\Temp\\file.exe C:\\Windows\\Temp\\file.ext:targetFile.cab\r\nUse case\r\nHide data compressed into an Alternate Data Stream.\r\nPrivileges required\r\nUser\r\nOperating systems\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Diantz/\r\nPage 1 of 3\n\nWindows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.\r\nATT\u0026CK® technique\r\nT1564.004: NTFS File Attributes\r\nTags\r\nType: Compression\r\nDownload\r\n1. Download and compress a remote file and store it in a CAB file on local machine.\r\ndiantz.exe \\\\servername\\C$\\Windows\\Temp\\file.exe C:\\Windows\\Temp\\file.cab\r\nUse case\r\nDownload and compress into a cab file.\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019\r\nATT\u0026CK® technique\r\nT1105: Ingress Tool Transfer\r\nTags\r\nType: Compression\r\nExecute\r\n1. Execute diantz directives as defined in the specified Diamond Definition File (.ddf); see resources for the\r\nformat specification.\r\ndiantz /f file.ddf\r\nUse case\r\nBypass command-line based detections\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019\r\nATT\u0026CK® technique\r\nT1036: Masquerading\r\nTags\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Diantz/\r\nPage 2 of 3\n\nType: Compression\r\nSource: https://lolbas-project.github.io/lolbas/Binaries/Diantz/\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Diantz/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://lolbas-project.github.io/lolbas/Binaries/Diantz/"
	],
	"report_names": [
		"Diantz"
	],
	"threat_actors": [],
	"ts_created_at": 1775434397,
	"ts_updated_at": 1775791255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff38d0f27093d51d6d742abeef996eae99eebf62.pdf",
		"text": "https://archive.orkl.eu/ff38d0f27093d51d6d742abeef996eae99eebf62.txt",
		"img": "https://archive.orkl.eu/ff38d0f27093d51d6d742abeef996eae99eebf62.jpg"
	}
}