The ThreatFox: Kimwolf IOCs rule detects potential adversary activity linked to the Kimwolf threat group, which is associated with high-impact ransomware operations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before significant damage occurs.
IOC Summary
Malware Family: Kimwolf Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 64[.]225[.]65[.]127:25001 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 167[.]99[.]47[.]245:25001 | botnet_cc | 2026-06-16 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["64.225.65.127", "167.99.47.245"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["64.225.65.127", "167.99.47.245"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam Backup & Replication may generate network traffic that matches Kimwolf IOCs (e.g., connecting to a known IP or using a specific port).
Filter/Exclusion: Exclude traffic originating from or destined to the Veeam backup server IP, or filter by process name VeeamBackup.exe.
Scenario: Windows Task Scheduler Running Admin Tasks
Description: A legitimate administrative task, such as updating system drivers or running a PowerShell script via Task Scheduler, might trigger the rule if it uses a tool or script that matches Kimwolf IOCs.
Filter/Exclusion: Exclude processes launched by schtasks.exe or filter by user account (e.g., SYSTEM or Administrator).
Scenario: Database Maintenance Job Using SQL Server Agent
Description: A SQL Server Agent job performing routine maintenance (e.g., index rebuilds, log truncation) may use a tool or script that is flagged by the Kimwolf detection logic.
Filter/Exclusion: Exclude processes associated with SQL Server Agent (sqlagent.exe) or filter by the SQL Server service account.
Scenario: Log Collection Using Splunk Forwarder
Description: A Splunk Universal Forwarder sending logs to a central Splunk server may generate traffic that matches Kimwolf IOCs, especially if the forwarder is configured to use a specific IP or port.
Filter/Exclusion: Exclude traffic from the Splunk forwarder IP or filter by process name splunkforwarder.exe.
Scenario: Software Update Deployment Using Microsoft Endpoint Manager (MEM)
Description: A software update deployment via Microsoft Endpoint Manager may involve communication with Microsoft servers that could be misidentified as Kimwolf IOCs.
*Filter/Exclusion