The ThreatFox: Kimwolf IOCs rule detects potential adversary activity associated with the Kimwolf threat group, leveraging known indicators of compromise to identify malicious network traffic. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be exfiltrating data or establishing command and control channels.
IOC Summary
Malware Family: Kimwolf Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 172[.]233[.]48[.]35:25001 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 172[.]233[.]48[.]186:25001 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 172[.]239[.]233[.]54:25001 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 172[.]239[.]233[.]226:25001 | botnet_cc | 2026-05-17 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["172.239.233.54", "172.239.233.226", "172.233.48.186", "172.233.48.35"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.239.233.54", "172.239.233.226", "172.233.48.186", "172.233.48.35"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOCs (e.g., psutil, subprocess) used in the Kimwolf detection.
Filter/Exclusion: process.parent_process_name == "Task Scheduler" or process.command_line contains "schtasks.exe"
Scenario: Admin Performing System Monitoring with Wireshark
Description: An admin is using Wireshark to monitor network traffic, which may include tools or processes that match the Kimwolf IOCs.
Filter/Exclusion: process.name == "wireshark.exe" or process.user contains "admin"
Scenario: Database Backup Job Using mysqldump
Description: A scheduled database backup job uses mysqldump which may be flagged due to its command-line arguments or file paths.
Filter/Exclusion: process.name == "mysqldump.exe" or process.command_line contains "backup"
Scenario: Security Tool Running Automated Scans (e.g., Nessus)
Description: A security tool like Nessus is performing an automated scan, and its execution environment matches the IOCs.
Filter/Exclusion: process.name == "nessuscli.exe" or process.user contains "security"
Scenario: DevOps Pipeline Using Ansible for Configuration Management
Description: Ansible playbooks are executed as part of a CI/CD pipeline, and the execution context matches the Kimwolf IOCs.
Filter/Exclusion: process.name == "ansible.exe" or process.command_line contains "ansible-playbook"