The ThreatFox: Kimwolf IOCs rule detects potential adversary activity linked to the Kimwolf threat group, which is associated with malware distribution and command and control infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises and prevent lateral movement within the network.
IOC Summary
Malware Family: Kimwolf Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 68[.]183[.]13[.]148:25001 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 161[.]35[.]93[.]156:25001 | botnet_cc | 2026-05-22 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["161.35.93.156", "68.183.13.148"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["161.35.93.156", "68.183.13.148"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab to run a system cleanup tool like logrotate
Filter/Exclusion: Exclude processes associated with logrotate or crontab by checking the command line arguments or process name.
Scenario: System administrator using rsyslog to forward logs to a centralized logging server
Filter/Exclusion: Exclude processes with rsyslog in the command line or filter by known log forwarding IP addresses.
Scenario: Regular use of tar or gzip for archiving files during backup operations
Filter/Exclusion: Exclude processes involving tar or gzip when executed from a known backup directory or by a backup user account.
Scenario: Use of ssh for secure remote administration by authorized personnel
Filter/Exclusion: Exclude SSH connections from known administrative IP ranges or user accounts with elevated privileges.
Scenario: Execution of systemd services for managing system daemons and services
Filter/Exclusion: Exclude processes initiated by systemd or associated with known service units (e.g., sshd, nginx, mysql).