The Loki Password Stealer is exfiltrating credentials to a command-and-control server, indicating a persistent credential theft operation. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate lateral movement and data exfiltration risks early.
IOC Summary
Malware Family: Loki Password Stealer (PWS) Total IOCs: 2 IOC Types: ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 158[.]94[.]211[.]95:80 | botnet_cc | 2026-05-07 | 50% |
| url | hxxp://158[.]94[.]211[.]95/kelly/five/fre.php | botnet_cc | 2026-05-07 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Loki Password Stealer (PWS)
let malicious_ips = dynamic(["158.94.211.95"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["158.94.211.95"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Loki Password Stealer (PWS)
let malicious_urls = dynamic(["http://158.94.211.95/kelly/five/fre.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Execution
Description: A scheduled job using schtasks.exe runs a script that inadvertently matches the PWS IOC due to similar command-line arguments or file names.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known legitimate command-line arguments or file paths associated with scheduled tasks.
Scenario: Admin Performing Credential Dump via Mimikatz
Description: An administrator uses mimikatz.exe to perform a credential dump during a security audit or incident response.
Filter/Exclusion: Exclude processes where the executable is mimikatz.exe and the process tree includes known security tools or is initiated from a privileged account with a legitimate purpose.
Scenario: PowerShell Script for System Monitoring
Description: A PowerShell script using powershell.exe is used to monitor system logs or collect metrics, and the script includes commands that resemble PWS behavior.
Filter/Exclusion: Exclude processes where the command line includes -Command or -File with paths to known internal monitoring scripts or tools like PowerShell.exe used by the IT operations team.
Scenario: Software Update or Patch Deployment
Description: A legitimate software update or patch deployment uses a tool like msiexec.exe or setup.exe, which may have command-line arguments that match PWS IOC patterns.
Filter/Exclusion: Exclude processes initiated by known update tools (e.g., msiexec.exe, setup.exe) or from known patch management systems.
Scenario: Log Collection via LogParser or Similar Tool
Description: A log collection tool like logparser.exe or wevtutil.exe is used to gather logs, and its execution path or command-line arguments match the PWS IOC.
Filter/Exclusion: Exclude processes where