The detection identifies potential PureLogs Stealer activity through known IOCs, indicating an adversary may be exfiltrating sensitive credentials from compromised systems. SOC teams should proactively hunt for this behavior to detect and mitigate credential theft early in the attack lifecycle within Azure Sentinel.
IOC Summary
Malware Family: PureLogs Stealer Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 5[.]101[.]81[.]159:8443 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 5[.]101[.]81[.]224:8443 | botnet_cc | 2026-06-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - PureLogs Stealer
let malicious_ips = dynamic(["5.101.81.224", "5.101.81.159"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["5.101.81.224", "5.101.81.159"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for log management
Description: A scheduled job runs to collect and process logs using PureLogs or similar log management tools.
Filter/Exclusion: Exclude processes associated with purelogs or logstash running under a known log management service account.
Scenario: Admin task for system monitoring
Description: An administrator is using a tool like PureLogs to monitor system performance and generate reports.
Filter/Exclusion: Exclude processes initiated by the system admin group or those with a known legitimate command-line interface (CLI) script used for monitoring.
Scenario: Software update or patching activity
Description: A patching tool or update manager is executing a script that matches the IOC pattern due to similar file names or paths.
Filter/Exclusion: Exclude processes related to known patching tools like Microsoft Update, WSUS, or Ansible with specific command-line arguments.
Scenario: Internal tool for data exfiltration testing
Description: A red team or security team is using a tool like PureLogs to simulate data exfiltration for a controlled security test.
Filter/Exclusion: Exclude processes running under a known test environment or with a specific test flag (e.g., --test-mode or --simulate).
Scenario: Log aggregation from multiple sources
Description: A log aggregation tool is collecting logs from various endpoints and temporarily storing them in a shared directory, which may match IOC patterns.
Filter/Exclusion: Exclude processes associated with Fluentd, Logstash, or Splunk that are part of a centralized logging infrastructure.