The ThreatFox: Kimwolf IOCs rule detects potential adversary activity linked to the Kimwolf threat group, which is associated with high-severity cyberattacks targeting organizations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Kimwolf Total IOCs: 20 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 172[.]235[.]174[.]99:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 172[.]235[.]174[.]37:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 172[.]235[.]174[.]105:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 172[.]235[.]174[.]81:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 172[.]235[.]174[.]150:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 172[.]235[.]174[.]21:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 172[.]235[.]174[.]91:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 172[.]235[.]174[.]143:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 172[.]235[.]174[.]114:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 172[.]235[.]174[.]138:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 188[.]166[.]75[.]9:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 206[.]189[.]110[.]191:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 64[.]227[.]74[.]157:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 161[.]35[.]93[.]146:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 152[.]42[.]135[.]190:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 165[.]22[.]198[.]24:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 164[.]90[.]206[.]123:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 161[.]35[.]153[.]147:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 165[.]232[.]92[.]26:25001 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 167[.]172[.]37[.]243:25001 | botnet_cc | 2026-05-09 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["172.235.174.99", "172.235.174.37", "172.235.174.150", "172.235.174.114", "188.166.75.9", "164.90.206.123", "167.172.37.243", "152.42.135.190", "172.235.174.143", "172.235.174.105", "172.235.174.138", "64.227.74.157", "161.35.153.147", "165.232.92.26", "172.235.174.21", "172.235.174.81", "206.189.110.191", "172.235.174.91", "161.35.93.146", "165.22.198.24"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.235.174.99", "172.235.174.37", "172.235.174.150", "172.235.174.114", "188.166.75.9", "164.90.206.123", "167.172.37.243", "152.42.135.190", "172.235.174.143", "172.235.174.105", "172.235.174.138", "64.227.74.157", "161.35.153.147", "165.232.92.26", "172.235.174.21", "172.235.174.81", "206.189.110.191", "172.235.174.91", "161.35.93.146", "165.22.198.24"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job execution
Description: A scheduled job runs a script that matches one of the IOCs (e.g., C:\Windows\System32\cmd.exe) as part of routine system maintenance.
Filter/Exclusion: Exclude processes associated with known scheduled tasks (e.g., schtasks.exe, Task Scheduler), or filter by process path containing System32 or Windows directories.
Scenario: Admin using PowerShell for system diagnostics
Description: An administrator uses PowerShell to run diagnostic commands (e.g., Get-EventLog, Get-Service) that may match IOCs due to common command-line usage.
Filter/Exclusion: Exclude processes with powershell.exe where the command line includes known admin diagnostic commands or is initiated from a trusted admin account.
Scenario: Log file parsing by SIEM tool
Description: A SIEM tool (e.g., Splunk, ELK) parses log files and generates events that match IOCs due to standard log entries (e.g., C:\Windows\System32\LogFiles).
Filter/Exclusion: Exclude events generated by SIEM tools or log parsing processes, or filter by event source (e.g., EventLog, Syslog, Windows Event Log).
Scenario: Antivirus or EDR tool scanning
Description: An EDR tool (e.g., CrowdStrike, Microsoft Defender) performs a scan and generates alerts for known benign files or processes that match the IOC list.
Filter/Exclusion: Exclude processes associated with EDR tools (e.g., mpcmdrun.exe, MsMpEng.exe) or filter by process name containing antivirus, EDR, or Defender.
Scenario: Backup or replication job using standard tools
*Description