This rule detects the execution of well-known DNS exfiltration and tunneling tools on Windows systems. The rule focuses on two specific tools: Iodine and Dnscat2, which are commonly used for data exfiltration via DNS queries. It checks for the presence of these tools in the process creation logs, monitoring for process images that either end with 'iodine.exe' or contain 'dnscat2' in their filepath. Given the potential threat these tools pose for exfiltrating sensitive data, this detection rule is classified with a high severity level. While false positives are unlikely, it is essential to note that legitimate applications may exhibit similar behaviors, requiring further investigation upon alert generation. The rule is part of a proactive approach to monitoring network traffic and ensuring secure data handling practices.