The Loki Password Stealer is exfiltrating credentials and system data from compromised hosts, indicating potential lateral movement and data theft. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: Loki Password Stealer (PWS) Total IOCs: 2 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://duclongetc.com/vvvv/need/work/Panel/five/fre.php? | botnet_cc | 2026-05-12 | 75% |
| url | hxxp://duclongetc.com/vvvv/need/work/Panel/five/fre.php | botnet_cc | 2026-05-12 | 100% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Loki Password Stealer (PWS)
let malicious_urls = dynamic(["https://duclongetc.com/vvvv/need/work/Panel/five/fre.php?", "http://duclongetc.com/vvvv/need/work/Panel/five/fre.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task is run by the system administrator to perform routine maintenance, such as disk cleanup or log rotation, which may involve executing scripts or tools like cleanmgr.exe or DISM.
Filter/Exclusion: Exclude processes associated with known system maintenance tools or tasks that are scheduled via Task Scheduler with a known admin user account.
Scenario: Admin Performing Credential Dumping for Forensic Analysis
Description: A security administrator uses tools like mimikatz or PowerView to perform credential dumping as part of a forensic investigation or incident response.
Filter/Exclusion: Exclude processes initiated by users with the Administrators group or those running under the Local System account, especially when using known forensic tools.
Scenario: Log Collection via Loki with Custom Scripts
Description: A DevOps team uses a custom script to collect logs from multiple servers using Loki, which may involve writing to or reading from log files or using tools like logrotate or rsyslog.
Filter/Exclusion: Exclude processes involving loki or prometheus related tools, or those that are part of a known log aggregation pipeline.
Scenario: Software Update or Patch Deployment
Description: A system administrator deploys a software update or patch using tools like Windows Update, WSUS, or Chocolatey, which may involve executing scripts or temporary files.
Filter/Exclusion: Exclude processes initiated by Windows Update services or by known patch management tools with known command-line arguments.
Scenario: Database Backup or Restore Operation
Description: A DBA runs a database backup or restore operation using tools like sqlcmd, mysqldump, or pg_dump, which may involve temporary file creation or credential handling