Deprecated - Potential DNS Tunneling via Iodine

 1[metadata]
 2creation_date = "2020/02/18"
 3deprecation_date = "2023/09/25"
 4integration = ["endpoint"]
 5maturity = "deprecated"
 6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 7min_stack_version = "8.3.0"
 8updated_date = "2023/09/25"
 9
10[rule]
11author = ["Elastic"]
12description = """
13Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls,
14network security groups, and network access lists while evading detection.
15"""
16false_positives = [
17    """
18    Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very
19    uncommon.
20    """,
21]
22from = "now-9m"
23index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Deprecated - Potential DNS Tunneling via Iodine"
27note = "This rule was deprecated due to its addition to the umbrella `Potential Linux Tunneling and/or Port Forwarding` (6ee947e9-de7e-4281-a55d-09289bdf947e) rule."
28references = ["https://code.kryo.se/iodine/"]
29risk_score = 73
30rule_id = "041d4d41-9589-43e2-ba13-5680af75ebc2"
31severity = "high"
32tags = [
33    "Domain: Endpoint",
34    "OS: Linux",
35    "Use Case: Threat Detection",
36    "Tactic: Command and Control",
37    "Data Source: Elastic Endgame",
38    "Data Source: Elastic Defend",
39]
40timestamp_override = "event.ingested"
41type = "query"
42
43query = '''
44event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined)
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1572"
52name = "Protocol Tunneling"
53reference = "https://attack.mitre.org/techniques/T1572/"
54
55
56[rule.threat.tactic]
57id = "TA0011"
58name = "Command and Control"
59reference = "https://attack.mitre.org/tactics/TA0011/"