DNS Exfiltration and Tunneling Tools Execution

Jan 29, 2024 · attack.exfiltration attack.t1048.001 attack.command_and_control attack.t1071.004 attack.t1132.001 ·

Well-known DNS Exfiltration tools execution

Sigma rule (View on GitHub)

 1title: DNS Exfiltration and Tunneling Tools Execution
 2id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
 3status: test
 4description: Well-known DNS Exfiltration tools execution
 5references:
 6    - https://github.com/iagox86/dnscat2
 7    - https://github.com/yarrick/iodine
 8author: Daniil Yugoslavskiy, oscd.community
 9date: 2019/10/24
10modified: 2021/11/27
11tags:
12    - attack.exfiltration
13    - attack.t1048.001
14    - attack.command_and_control
15    - attack.t1071.004
16    - attack.t1132.001
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        - Image|endswith: '\iodine.exe'
23        - Image|contains: '\dnscat2'
24    condition: selection
25falsepositives:
26    - Unlikely
27level: high

References

GitHub - iagox86/dnscat2

Contribute to iagox86/dnscat2 development by creating an account on GitHub.

Read More
GitHub - yarrick/iodine: Official git repo for iodine dns tunnel

Official git repo for iodine dns tunnel. Contribute to yarrick/iodine development by creating an account on GitHub.

Read More

DNS Exfiltration and Tunneling Tools Execution

Sigma rule (View on GitHub)

References

GitHub - iagox86/dnscat2

GitHub - yarrick/iodine: Official git repo for iodine dns tunnel

Related rules