DNS Exfiltration and Tunneling Tools Execution
Well-known DNS Exfiltration tools execution
Sigma rule (View on GitHub)
1title: DNS Exfiltration and Tunneling Tools Execution
2id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
3status: test
4description: Well-known DNS Exfiltration tools execution
5references:
6 - https://github.com/iagox86/dnscat2
7 - https://github.com/yarrick/iodine
8author: Daniil Yugoslavskiy, oscd.community
9date: 2019/10/24
10modified: 2021/11/27
11tags:
12 - attack.exfiltration
13 - attack.t1048.001
14 - attack.command_and_control
15 - attack.t1071.004
16 - attack.t1132.001
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 - Image|endswith: '\iodine.exe'
23 - Image|contains: '\dnscat2'
24 condition: selection
25falsepositives:
26 - Unlikely
27level: high
References
Related rules
- High DNS Requests Rate
- High DNS Requests Rate - Firewall
- High NULL Records Requests Rate
- High TXT Records Requests Rate
- Possible DNS Tunneling