normal use of iodine is uncommon apart from security testing and research. use by non-security engineers is very uncommon.

t1572
_deprecated
elastic

Techniques

T1572

Sample rules

Deprecated - Potential DNS Tunneling via Iodine

source: elastic
technicques:
- T1572

Description

Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.

Detection logic

event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined)