Adversaries are using Evilginx IOCs to perform credential phishing and exfiltrate sensitive data by impersonating legitimate services. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate potential compromise of user credentials and internal systems.
IOC Summary
Malware Family: Evilginx Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 216[.]158[.]235[.]73:3333 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 185[.]33[.]84[.]183:3000 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 170[.]39[.]185[.]141:2030 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 163[.]245[.]217[.]90:3333 | botnet_cc | 2026-06-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Evilginx
let malicious_ips = dynamic(["185.33.84.183", "163.245.217.90", "216.158.235.73", "170.39.185.141"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["185.33.84.183", "163.245.217.90", "216.158.235.73", "170.39.185.141"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using curl for Internal API Calls
Description: A scheduled job runs curl to fetch data from an internal API endpoint, which may match the Evilginx IOC pattern.
Filter/Exclusion: Exclude traffic to internal API endpoints (e.g., api.internal.company.com) using a domain filter or source IP range.
Scenario: System Update via wget Using a Known Mirror
Description: A system update process uses wget to download a package from a known mirror, which may be flagged due to similar command-line patterns.
Filter/Exclusion: Exclude traffic to known update mirrors (e.g., mirror.centos.org, archive.ubuntu.com) using a domain filter.
Scenario: Admin Task Using scp to Transfer Configuration Files
Description: An administrator uses scp to transfer configuration files between servers, which may trigger the rule due to command-line similarities.
Filter/Exclusion: Exclude traffic between internal servers (e.g., 10.0.0.0/24) or specific file paths (e.g., /etc/).
Scenario: Log Collection via rsync to a Centralized Logging Server
Description: A log collection process uses rsync to transfer logs to a centralized logging server, which may match the IOC pattern.
Filter/Exclusion: Exclude traffic to the centralized logging server (e.g., logserver.company.com) or specific log directories (e.g., /var/log/).
Scenario: Software Deployment Using ansible with Known Playbooks
Description: Ansible playbooks are executed to deploy software, which may include commands that resemble malicious activity.
Filter/Exclusion: Exclude traffic to Ansible controllers or specific playbook execution paths (e.g.,