The ThreatFox: Kimwolf IOCs rule detects potential adversary activity linked to the Kimwolf threat group, which is associated with high-severity malware and targeted attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before significant damage occurs.
IOC Summary
Malware Family: Kimwolf Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 161[.]35[.]82[.]152:25001 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 209[.]38[.]34[.]201:25001 | botnet_cc | 2026-05-22 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["161.35.82.152", "209.38.34.201"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["161.35.82.152", "209.38.34.201"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOCs associated with Kimwolf, such as psutil or subprocess calls.
Filter/Exclusion: Exclude processes initiated by the Windows Task Scheduler with a known maintenance task name (e.g., TaskScheduler or MaintenanceTask).
Scenario: Admin User Performing System Monitoring
Description: An admin user is using a tool like Process Explorer or PsExec to monitor system processes, which may trigger the IOCs due to process enumeration.
Filter/Exclusion: Exclude processes initiated by admin users with a known monitoring tool (e.g., Process Explorer, PsExec) or with a user SID matching the admin group.
Scenario: Automated Log Collection Job
Description: A scheduled job using LogParser or PowerShell scripts collects logs and may trigger IOCs due to command-line arguments or file access patterns.
Filter/Exclusion: Exclude processes related to log collection tools (e.g., LogParser.exe, PowerShell.exe) running under a known log collection service account.
Scenario: Software Update or Patch Deployment
Description: A legitimate update process, such as using WSUS or Chocolatey, may trigger IOCs due to file access or execution of scripts.
Filter/Exclusion: Exclude processes associated with update tools (e.g., wsusutil.exe, choco.exe) or running during scheduled update windows.
Scenario: Database Backup or Restore Operation
Description: A database backup tool like SQL Server Backup Utility or pg_dump may trigger IOCs due to file system access or command-line execution.
Filter/Exclusion: Exclude processes related to backup tools (e.g., `sqlbackup.exe