Techniques
Sample rules
Detect DNS requests to Phishing Sites leveraging EvilGinx2
- source: splunk
- technicques:
- T1566.003
Description
This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution.DNS by DNS.dest DNS.src DNS.query host
| `drop_dm_object_name(DNS)`
| rex field=query ".*?(?<domain>[^./:]+\.(\S{2,3}
|\S{2,3}.\S{2,3}))$"
| stats count values(query) as query by domain dest src answer
| search `evilginx_phishlets_amazon` OR `evilginx_phishlets_facebook` OR `evilginx_phishlets_github` OR `evilginx_phishlets_0365` OR `evilginx_phishlets_outlook` OR `evilginx_phishlets_aws` OR `evilginx_phishlets_google`
| search NOT [ inputlookup legit_domains.csv
| fields domain]
| join domain type=outer [
| tstats count `security_content_summariesonly` values(Web.url) as url from datamodel=Web.Web by Web.dest Web.site
| rename "Web.*" as *
| rex field=site ".*?(?<domain>[^./:]+\.(\S{2,3}
|\S{2,3}.\S{2,3}))$"
| table dest domain url]
| table count src dest query answer domain url
| `detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter`