The Loki Password Stealer is exfiltrating credentials through unusual network traffic and lateral movement, indicating a persistent threat to sensitive data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate credential theft before data exfiltration occurs.
IOC Summary
Malware Family: Loki Password Stealer (PWS) Total IOCs: 2 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://duclongetc.com/vvvv/need/work/Panel/five/fre.php? | botnet_cc | 2026-05-12 | 75% |
| url | hxxp://duclongetc.com/vvvv/need/work/Panel/five/fre.php | botnet_cc | 2026-05-12 | 100% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Loki Password Stealer (PWS)
let malicious_urls = dynamic(["https://duclongetc.com/vvvv/need/work/Panel/five/fre.php?", "http://duclongetc.com/vvvv/need/work/Panel/five/fre.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via PowerShell
Description: A system administrator uses PowerShell to download and install a legitimate software update from a trusted source, which coincidentally matches the IOC of the Loki PWS.
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE "*update*" OR source_ip IN (trusted_update_servers)
Scenario: Scheduled Job for Credential Synchronization
Description: A scheduled job runs on a domain controller to synchronize credentials between domain controllers using tools like repadmin or ntdsutil, which may trigger the rule due to network activity.
Filter/Exclusion: process.name IN ("repadmin.exe", "ntdsutil.exe") OR destination_port IN (389, 636)
Scenario: Admin Task Using PsExec for Remote Execution
Description: A system administrator uses PsExec to remotely execute a script on a server for patching or configuration management, which may be flagged due to the use of psexec.exe or network traffic patterns.
Filter/Exclusion: process.name == "psexec.exe" AND user_account IN (admin_accounts) AND destination_host IN (trusted_servers)
Scenario: False Positive from Threat Intelligence Feed
Description: The IOC is part of a legitimate threat intelligence feed that is incorrectly associated with the Loki PWS, leading to false positives when monitoring known malicious IPs or domains.
Filter/Exclusion: source_ip IN (threat_intel_blacklist) OR domain IN (threat_intel_blacklist)
Scenario: User-Initiated File Download for Research
Description: A security researcher downloads a file related to the Loki PWS for analysis, which may trigger the rule due to the file hash or URL matching known IOCs.
**Filter/Ex