DNS Exfiltration and Tunneling Tools Execution

 1title: DNS Exfiltration and Tunneling Tools Execution
 2id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
 3status: test
 4description: Well-known DNS Exfiltration tools execution
 5references:
 6    - https://github.com/iagox86/dnscat2
 7    - https://github.com/yarrick/iodine
 8author: Daniil Yugoslavskiy, oscd.community
 9date: 2019-10-24
10modified: 2021-11-27
11tags:
12    - attack.exfiltration
13    - attack.t1048.001
14    - attack.command-and-control
15    - attack.t1071.004
16    - attack.t1132.001
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        - Image|endswith: '\iodine.exe'
23        - Image|contains: '\dnscat2'
24    condition: selection
25falsepositives:
26    - Unlikely
27level: high

References

• GitHub - iagox86/dnscat2

  

  Contribute to iagox86/dnscat2 development by creating an account on GitHub.

  
  Read More

• GitHub - yarrick/iodine: Official git repo for iodine dns tunnel

  

  Official git repo for iodine dns tunnel. Contribute to yarrick/iodine development by creating an account on GitHub.

  
  Read More

Related rules

• Suspicious DNS Query with B64 Encoded String
• APT40 Dropbox Tool User Agent
• Cisco Stage Data
• Cobalt Strike DNS Beaconing
• Communication To Ngrok Tunneling Service - Linux