Adversaries may be using Evilginx IOCs to perform credential phishing and exfiltrate sensitive data by impersonating legitimate services. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate potential compromise of user credentials and internal systems.
IOC Summary
Malware Family: Evilginx Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 64[.]199[.]252[.]59:3333 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 185[.]212[.]128[.]72:9000 | botnet_cc | 2026-05-11 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Evilginx
let malicious_ips = dynamic(["64.199.252.59", "185.212.128.72"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["64.199.252.59", "185.212.128.72"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using curl to Fetch Internal Reports
Description: A scheduled job runs daily to fetch internal compliance reports from an internal server using curl.
Filter/Exclusion: Exclude curl commands where the destination IP is within the internal network range (e.g., 10.0.0.0/8) and the URL contains /reports/.
Scenario: System Administrator Using wget to Download Patch Files
Description: An admin uses wget to download a security patch from a trusted internal repository.
Filter/Exclusion: Exclude wget commands where the URL is from a known internal repository (e.g., http://patch-repo.internal.example.com) and the file hash matches a known good patch.
Scenario: Log Management Tool Using rsync to Sync Logs to a Central Server
Description: A log management tool uses rsync to transfer logs to a central logging server.
Filter/Exclusion: Exclude rsync commands where the source and destination are internal servers (e.g., rsync://log-server.internal.example.com) and the transfer is scheduled via a known job scheduler.
Scenario: DevOps Pipeline Using scp to Transfer Artifacts Between Servers
Description: A CI/CD pipeline uses scp to transfer build artifacts between development and staging servers.
Filter/Exclusion: Exclude scp commands where the source and destination are within the same internal network (e.g., 192.168.1.0/24) and the transfer is part of a known deployment process.
Scenario: Database Backup Using mysqldump to External Cloud Storage
Description: A database backup process uses mysqldump to export data to an external cloud storage bucket