DNS Exfiltration and Tunneling Tools Execution

Well-known DNS Exfiltration tools execution

Sigma rule (View on GitHub)

 1title: DNS Exfiltration and Tunneling Tools Execution
 2id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
 3status: test
 4description: Well-known DNS Exfiltration tools execution
 5references:
 6    - https://github.com/iagox86/dnscat2
 7    - https://github.com/yarrick/iodine
 8author: Daniil Yugoslavskiy, oscd.community
 9date: 2019-10-24
10modified: 2021-11-27
11tags:
12    - attack.exfiltration
13    - attack.t1048.001
14    - attack.command-and-control
15    - attack.t1071.004
16    - attack.t1132.001
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        - Image|endswith: '\iodine.exe'
23        - Image|contains: '\dnscat2'
24    condition: selection
25falsepositives:
26    - Unlikely
27level: high

References

Related rules

to-top