Detect DNS Requests To Phishing Sites Leveraging Evilginx2

Description

This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites.

   Help

Detect DNS Requests To Phishing Sites Leveraging Evilginx2 Help

You need to ingest data from your DNS logs in the Network_Resolution datamodel. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You will have to add legitimate domain names to the legit_domains.csv file shipped with the app. \ Splunk>Phantom Playbook Integration\ If Splunk>Phantom is also configured in your environment, a Playbook called Lets Encrypt Domain Investigate can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk https://splunkbase.splunk.com/app/3411/, add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \ (Playbook link:https://my.phantom.us/4.2/playbook/lets-encrypt-domain-investigate/).\

   Search

Open in Search