Techniques
Sample rules
Suspicious Diantz Alternate Data Stream Execution
- source: sigma
- technicques:
- t1564
- t1564.004
Description
Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- diantz.exe
- .cab
CommandLine|re: :[^\\]