if a known good domain is not listed in the legit_domains.csv file, then the search could give you false postives. please update that lookup file to filter out dns requests to legitimate domains.

Techniques

T1566.003

Sample rules

Detect DNS requests to Phishing Sites leveraging EvilGinx2

source: splunk
technicques:
- T1566.003

Description

This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution.DNS by DNS.dest DNS.src DNS.query host 
| `drop_dm_object_name(DNS)`
| rex field=query ".*?(?<domain>[^./:]+\.(\S{2,3}
|\S{2,3}.\S{2,3}))$" 
| stats count values(query) as query by domain dest src answer
| search `evilginx_phishlets_amazon` OR `evilginx_phishlets_facebook` OR `evilginx_phishlets_github` OR `evilginx_phishlets_0365` OR `evilginx_phishlets_outlook` OR `evilginx_phishlets_aws` OR `evilginx_phishlets_google` 
| search NOT [ inputlookup legit_domains.csv 
| fields domain]
| join domain type=outer [
| tstats count `security_content_summariesonly` values(Web.url) as url from datamodel=Web.Web by Web.dest Web.site 
| rename "Web.*" as * 
| rex field=site ".*?(?<domain>[^./:]+\.(\S{2,3}
|\S{2,3}.\S{2,3}))$" 
| table dest domain url] 
| table count src dest query answer domain url 
| `detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter`