The ThreatFox: Kimwolf IOCs rule detects potential adversary activity associated with the Kimwolf threat group, leveraging known indicators of compromise to identify malicious network traffic or system interactions. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be exfiltrating data or establishing command and control channels.
IOC Summary
Malware Family: Kimwolf Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 104[.]248[.]200[.]241:25001 | botnet_cc | 2026-04-24 | 100% |
| ip:port | 167[.]172[.]34[.]157:25001 | botnet_cc | 2026-04-24 | 100% |
| ip:port | 165[.]232[.]91[.]237:25001 | botnet_cc | 2026-04-24 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["165.232.91.237", "167.172.34.157", "104.248.200.241"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["165.232.91.237", "167.172.34.157", "104.248.200.241"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam Backup & Replication may generate network traffic matching Kimwolf IOCs if the backup server is communicating with a known IP or domain associated with the threat.
Filter/Exclusion: Exclude traffic originating from or destined to the Veeam backup server IP, or filter by process name VeeamBackup.exe.
Scenario: Microsoft Windows Update Task via Task Scheduler
Description: A scheduled Windows Update task using Task Scheduler may trigger the rule if the update server or Microsoft endpoint is flagged as part of the Kimwolf IOC list.
Filter/Exclusion: Exclude traffic related to wsus or update.microsoft.com, or filter by process name schtasks.exe or wuauclt.exe.
Scenario: Log Management with Splunk Forwarder
Description: A Splunk Universal Forwarder sending logs to a centralized Splunk server may generate traffic that matches Kimwolf IOCs if the Splunk server IP is mistakenly listed in the IOC database.
Filter/Exclusion: Exclude traffic from the Splunk forwarder IP, or filter by process name splunkforwarder.exe.
Scenario: Database Maintenance Task Using SQL Server Agent
Description: A SQL Server Agent job performing routine maintenance (e.g., index rebuilds or backups) may trigger the rule if the SQL Server is communicating with an IP or domain that is falsely associated with Kimwolf.
Filter/Exclusion: Exclude traffic from the SQL Server instance, or filter by process name sqlservr.exe or sqlagent.exe.
Scenario: Remote Desktop Session with Microsoft Remote Desktop Client
Description: A legitimate RDP session using the Microsoft Remote Desktop Client may trigger the rule if the RDP server IP is listed as