The detection identifies potential PureLogs Stealer activity through known IOCs, indicating an adversary may be exfiltrating sensitive credentials from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate credential theft early in the attack lifecycle.
IOC Summary
Malware Family: PureLogs Stealer Total IOCs: 3 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 20[.]81[.]43[.]36:1011 | botnet_cc | 2026-06-08 | 75% |
| ip:port | 20[.]81[.]43[.]36:8030 | botnet_cc | 2026-06-08 | 75% |
| domain | webdot.ddns.net | botnet_cc | 2026-06-08 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - PureLogs Stealer
let malicious_ips = dynamic(["20.81.43.36"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["20.81.43.36"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - PureLogs Stealer
let malicious_domains = dynamic(["webdot.ddns.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for log management
Description: A scheduled job runs to collect and transfer logs using PureLogs, which is a legitimate log management tool.
Filter/Exclusion: Exclude processes associated with purelogs or logstash and filter by process names like purelogs-collector or purelogs-agent.
Scenario: Admin task to transfer logs to a SIEM system
Description: An administrator manually initiates a log transfer from PureLogs to a Security Information and Event Management (SIEM) system as part of routine operations.
Filter/Exclusion: Exclude processes initiated by admin accounts with known log transfer tasks, such as admin_user or siem_transfer.
Scenario: Use of PureLogs for compliance reporting
Description: The PureLogs tool is used to generate compliance reports that include log data from various systems.
Filter/Exclusion: Exclude processes that occur during scheduled compliance reporting windows, such as compliance_report_generator or audit_log_export.
Scenario: Log aggregation using PureLogs in a hybrid cloud environment
Description: PureLogs is used to aggregate logs from on-premises and cloud environments, which is a common practice in enterprise environments.
Filter/Exclusion: Exclude processes that originate from known cloud services (e.g., AWS, Azure) or have IP addresses associated with internal log aggregation servers.
Scenario: Use of PureLogs for application log monitoring
Description: The PureLogs tool is used to monitor and alert on application logs for performance or error tracking.
Filter/Exclusion: Exclude processes that are part of application monitoring workflows, such as app_monitoring or log_analyzer, and filter by known application log sources.