ThreatFox: Kimwolf IOCs

Hunt Hypothesis

The ThreatFox: Kimwolf IOCs rule detects potential adversary activity linked to the Kimwolf threat group, which is associated with high-severity malware and persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.

IOC Summary

Malware Family: Kimwolf Total IOCs: 2 IOC Types: ip:port

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["167.172.35.253", "206.189.109.161"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["167.172.35.253", "206.189.109.161"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

Required Data Sources

References

• ThreatFox — Kimwolf

False Positive Guidance

• Scenario: Legitimate system update using msiexec.exe
  Filter/Exclusion: process.name != "msiexec.exe" or process.args not contains "/i"

• Scenario: Scheduled backup job using vssadmin.exe
  Filter/Exclusion: process.name != "vssadmin.exe" or process.args not contains "backup"

• Scenario: Admin task using taskkill.exe to terminate a non-malicious process
  Filter/Exclusion: process.name != "taskkill.exe" or process.args not contains "/F /IM"

• Scenario: Legitimate software installation via msiexec.exe with a known vendor signature
  Filter/Exclusion: process.name != "msiexec.exe" or file.hash.sha256 in (known_vendor_hashes)

• Scenario: System maintenance task using schtasks.exe to run a legitimate script
  Filter/Exclusion: process.name != "schtasks.exe" or process.args not contains "/create"