xNymia
commented
5 years ago Unfortunately a well configured EvilGinx2 setup will use TLS certificates and render this detection useless as the server header will be inside the encrypted blob.
This is an issue im also banging my head against for writing detections at this time also because this platform is terrifying in its ability.
evilginx - https://github.com/kgretzky/evilginx2 uses the server header openresty/1.11.2.2
Should be easy to check on high scoring domains though as a basic test may generate too much spam