Adversaries may be using Evilginx IOCs to execute phishing campaigns and steal credentials by impersonating legitimate services. SOC teams should proactively hunt for these IOCs in Azure Sentinel to detect and mitigate potential credential theft and lateral movement attempts.
IOC Summary
Malware Family: Evilginx Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 15[.]237[.]111[.]251:8443 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 212[.]193[.]5[.]199:9000 | botnet_cc | 2026-06-15 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Evilginx
let malicious_ips = dynamic(["15.237.111.251", "212.193.5.199"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["15.237.111.251", "212.193.5.199"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Backup Using rsync
Description: A scheduled backup job using rsync transfers files to a remote server, which may match the IOC pattern due to similar command-line arguments.
Filter/Exclusion: Exclude processes initiated by the rsync binary or those with --backup or --exclude flags in the command line.
Scenario: Admin Task Using curl for API Calls
Description: An administrator uses curl to interact with an internal API, which may include URLs matching Evilginx IOC patterns due to similar URL structures.
Filter/Exclusion: Exclude processes initiated by the curl binary and filter by user (e.g., root or admin), or check for presence of API endpoints in the URL.
Scenario: Scheduled Job for Log Aggregation Using logrotate
Description: A log rotation job using logrotate may generate temporary files or use paths that match Evilginx IOCs.
Filter/Exclusion: Exclude processes related to logrotate or filter by command-line arguments containing rotate, compress, or move.
Scenario: Internal Monitoring Tool Using Prometheus and Grafana
Description: A monitoring setup using Prometheus and Grafana may include URLs or endpoints that resemble Evilginx IOCs due to similar naming conventions.
Filter/Exclusion: Exclude processes related to prometheus or grafana, or filter by process names and user context.
Scenario: Development Environment with Docker and Nginx
Description: A developer’s local environment using Docker and Nginx may have containerized services that match Evilginx IOC patterns due to similar service configurations.
*