The ThreatFox: Kimwolf IOCs rule detects potential adversary activity linked to the Kimwolf threat group, which is associated with high-impact ransomware operations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before significant damage occurs.
IOC Summary
Malware Family: Kimwolf Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 167[.]172[.]39[.]240:25001 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 146[.]190[.]19[.]80:25001 | botnet_cc | 2026-06-09 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["167.172.39.240", "146.190.19.80"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["167.172.39.240", "146.190.19.80"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the Kimwolf IOC (e.g., psutil or subprocess).
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.parent_process_path:"C:\\Windows\\System32\\taskschd.exe"
Scenario: Admin Performing System Monitoring with PowerShell
Description: An admin uses PowerShell to monitor system processes, which may include tools like Get-Process or Get-EventLog that could match Kimwolf IOCs.
Filter/Exclusion: process.name:"powershell.exe" AND user_account:"admin_user"
Scenario: Log Analysis Tool Processing Logs
Description: A log analysis tool like ELK Stack or Splunk processes logs and may generate activity that matches Kimwolf IOCs.
Filter/Exclusion: process.name:"splunkd.exe" OR process.name:"java.exe" AND argument:"-Dfile.encoding=UTF-8"
Scenario: Software Update Job Using Chocolatey
Description: A scheduled Chocolatey update job runs and may trigger IOCs related to package execution.
Filter/Exclusion: process.name:"choco.exe" AND process.command_line:"update"
Scenario: Database Backup Using SQL Server Agent Job
Description: A SQL Server Agent job runs a backup script that may include commands or tools matching Kimwolf IOCs.
Filter/Exclusion: process.name:"sqlservr.exe" AND process.parent_process_name:"sqlagent.exe"