The ThreatFox: Kimwolf IOCs rule detects potential adversary activity linked to the Kimwolf threat group, which is associated with malware distribution and credential theft. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before significant damage occurs.
IOC Summary
Malware Family: Kimwolf Total IOCs: 6 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 172[.]235[.]163[.]136:25001 | botnet_cc | 2026-04-21 | 100% |
| ip:port | 172[.]235[.]163[.]116:25001 | botnet_cc | 2026-04-21 | 100% |
| ip:port | 152[.]42[.]142[.]122:25001 | botnet_cc | 2026-04-21 | 100% |
| ip:port | 172[.]235[.]163[.]157:25001 | botnet_cc | 2026-04-21 | 100% |
| ip:port | 172[.]235[.]163[.]141:25001 | botnet_cc | 2026-04-21 | 100% |
| ip:port | 172[.]235[.]163[.]119:25001 | botnet_cc | 2026-04-21 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["172.235.163.157", "172.235.163.141", "152.42.142.122", "172.235.163.119", "172.235.163.136", "172.235.163.116"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.235.163.157", "172.235.163.141", "152.42.142.122", "172.235.163.119", "172.235.163.136", "172.235.163.116"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that matches the IOCs (e.g., psutil, subprocess) used by Kimwolf.
Filter/Exclusion: process.parent_process_name:*schtasks* or process.command_line:*schtasks*
Scenario: Admin Task – User Account Creation
Description: An admin creates a new user account using a script that includes tools like net user or powershell.exe which may trigger the IOC.
Filter/Exclusion: process.command_line:*net user* or process.command_line:*powershell.exe -Command*
Scenario: Log Collection and Analysis Tool
Description: A legitimate log analysis tool (e.g., Splunk, ELK Stack) uses tools like logrotate or rsyslog which may be flagged by the rule.
Filter/Exclusion: process.name:*splunk* or process.name:*rsyslog*
Scenario: Automated Patching Job
Description: A patching tool (e.g., Windows Update, SCCM) executes scripts or uses utilities that match Kimwolf IOCs.
Filter/Exclusion: process.parent_process_name:*wuauclt* or process.parent_process_name:*msiexec*
Scenario: Database Backup Script
Description: A database backup script uses tools like sqlcmd or mysqldump which may be flagged as Kimwolf-related.
Filter/Exclusion: process.name:*sqlcmd* or process.name:*mysqldump*