The detection identifies potential Kimsuky adversary activity through known IOCs associated with command and control infrastructure. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threat operations early in the attack lifecycle.
IOC Summary
Malware Family: Kimsuky Total IOCs: 4 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 38[.]60[.]220[.]73:443 | botnet_cc | 2026-06-14 | 100% |
| domain | user-kakao.login-accounts.dynv6.net | botnet_cc | 2026-06-14 | 100% |
| domain | account-login.userauth.o-r.kr | botnet_cc | 2026-06-14 | 100% |
| domain | account-auth.userlogin.kro.kr | botnet_cc | 2026-06-14 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimsuky
let malicious_ips = dynamic(["38.60.220.73"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["38.60.220.73"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Kimsuky
let malicious_domains = dynamic(["user-kakao.login-accounts.dynv6.net", "account-login.userauth.o-r.kr", "account-auth.userlogin.kro.kr"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using wbadmin
Description: A scheduled backup task using Windows Backup and Restore (wbadmin) may trigger the rule if it matches Kimsuky-related IOCs.
Filter/Exclusion: Exclude processes initiated by the wbadmin service or tasks scheduled via Task Scheduler with the wbadmin executable.
Scenario: Admin task using PowerShell for system monitoring
Description: A system admin may use PowerShell scripts to monitor system performance or logs, which could inadvertently match Kimsuky IOCs.
Filter/Exclusion: Exclude PowerShell scripts executed by users with administrative privileges or those that match known admin monitoring scripts.
Scenario: Use of LogonUI.exe during user login
Description: The LogonUI.exe process is a legitimate Windows component used during user login, and its execution could be mistaken for malicious activity.
Filter/Exclusion: Exclude processes where LogonUI.exe is executed in the context of user logon events or during normal authentication processes.
Scenario: Legitimate use of certutil for certificate management
Description: System administrators may use certutil to manage certificates, which could be flagged if the command or file paths match Kimsuky IOCs.
Filter/Exclusion: Exclude processes where certutil is used in certificate management tasks, such as importing or exporting certificates.
Scenario: Use of schtasks.exe for legitimate scheduled tasks
Description: The schtasks.exe utility is commonly used to create and manage scheduled tasks, and its execution could be flagged if it matches Kimsuky-related IOCs.
Filter/Exclusion: Exclude processes initiated by the schtasks.exe command with known legitimate task names or user accounts.