Adversaries are using Evilginx IOCs to establish compromised TLS connections and exfiltrate data by impersonating legitimate services. SOC teams should proactively hunt for these indicators in Azure Sentinel to detect and mitigate advanced phishing and credential theft campaigns early.
IOC Summary
Malware Family: Evilginx Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 185[.]212[.]129[.]6:9000 | botnet_cc | 2026-05-29 | 75% |
| ip:port | 185[.]212[.]129[.]146:9000 | botnet_cc | 2026-05-29 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Evilginx
let malicious_ips = dynamic(["185.212.129.6", "185.212.129.146"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["185.212.129.6", "185.212.129.146"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Use of wget for Software Deployment
Description: A system administrator uses wget to download a legitimate software package from a trusted internal repository.
Filter/Exclusion: Exclude processes where the command line includes wget and the URL matches internal IP ranges or internal repositories.
Scenario: Scheduled Job for Log Rotation Using rsyslog
Description: A scheduled job runs via rsyslog to rotate and archive log files, which may include temporary files with names resembling malicious IOCs.
Filter/Exclusion: Exclude processes initiated by rsyslog or related to log rotation tasks, using the process name or command line arguments.
Scenario: Admin Task Involving curl for API Testing
Description: A developer uses curl to test an internal API endpoint, which may generate traffic with URLs that match Evilginx IOCs.
Filter/Exclusion: Exclude traffic originating from known development hosts or where the command line includes API testing flags like --request POST.
Scenario: Use of tar for Archive Management
Description: A system administrator uses tar to extract a legitimate archive containing configuration files, which may include filenames that match known Evilginx IOCs.
Filter/Exclusion: Exclude processes where the command line includes tar and the archive path is within a known system or user directory.
Scenario: Internal Monitoring Tool Using netstat for Traffic Analysis
Description: An internal monitoring tool runs netstat to analyze network connections, which may include connections to internal services that match Evilginx IOCs.
Filter/Exclusion: Exclude processes initiated by the internal monitoring tool (e.g., monitoring-agent) or where the destination IP is within the internal network.