The detection identifies potential PureLogs Stealer activity through known IOCs, indicating an adversary may be exfiltrating sensitive credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate credential theft early in the attack lifecycle.
IOC Summary
Malware Family: PureLogs Stealer Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 38[.]49[.]217[.]157:22443 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 193[.]93[.]193[.]92:8572 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 155[.]94[.]163[.]11:56001 | botnet_cc | 2026-06-09 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - PureLogs Stealer
let malicious_ips = dynamic(["155.94.163.11", "193.93.193.92", "38.49.217.157"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["155.94.163.11", "193.93.193.92", "38.49.217.157"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for Log Management
Description: A scheduled job runs to collect and transfer logs using PureLogs, which is a legitimate log management tool.
Filter/Exclusion: Exclude any activity related to the PureLogs executable (purelogs.exe) or its associated command-line arguments used in scheduled tasks.
Scenario: System Maintenance Task for Log Cleanup
Description: An admin task is configured to clean up old log files, which may involve IOCs similar to those of PureLogs Stealer.
Filter/Exclusion: Exclude processes initiated by the System or Local System account with known log cleanup scripts or tools like logclean.exe.
Scenario: Third-Party Monitoring Tool Integration
Description: A third-party monitoring tool (e.g., Splunk, ELK Stack) is configured to interface with PureLogs for real-time log analysis.
Filter/Exclusion: Exclude traffic or processes associated with known monitoring tools and their integration scripts with PureLogs.
Scenario: Admin Task for Log Archiving
Description: An administrator runs a script to archive logs to a remote server, which may use similar IOCs as the PureLogs Stealer.
Filter/Exclusion: Exclude processes initiated by admin accounts with known log archiving scripts or tools like logarchive.exe.
Scenario: Log Shipping via PowerShell Script
Description: A PowerShell script is used to ship logs to a centralized logging server, which may trigger the same IOCs as the PureLogs Stealer.
Filter/Exclusion: Exclude PowerShell scripts that are known to be used for log shipping and are signed by trusted administrators or IT departments.