DNS Exfiltration and Tunneling Tools Execution

Hunt Hypothesis

Well-known DNS Exfiltration tools execution

Detection Rule

Sigma (Original)

title: DNS Exfiltration and Tunneling Tools Execution
id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
status: test
description: Well-known DNS Exfiltration tools execution
references:
    - https://github.com/iagox86/dnscat2
    - https://github.com/yarrick/iodine
author: Daniil Yugoslavskiy, oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
    - attack.exfiltration
    - attack.t1048.001
    - attack.command-and-control
    - attack.t1071.004
    - attack.t1132.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\iodine.exe'
        - Image|contains: '\dnscat2'
    condition: selection
falsepositives:
    - Unlikely
level: high

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "\\iodine.exe" or TargetProcessName contains "\\dnscat2"

Required Data Sources

False Positive Guidance

• Unlikely

MITRE ATT&CK Context

• Tactic: Exfiltration
• Tactic: Command and Control
• Technique: T1048.001 — T1048.001
• Technique: T1071.004 — T1071.004
• Technique: T1132.001 — T1132.001

References

• https://github.com/iagox86/dnscat2
• https://github.com/yarrick/iodine
• SigmaHQ Rule