The ThreatFox: Kimwolf IOCs rule detects potential adversary activity linked to the Kimwolf threat group, which is associated with malicious network traffic and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by a sophisticated and persistent threat actor.
IOC Summary
Malware Family: Kimwolf Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 134[.]122[.]48[.]21:25001 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 146[.]190[.]18[.]251:25001 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 167[.]71[.]66[.]3:25001 | botnet_cc | 2026-05-06 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["167.71.66.3", "146.190.18.251", "134.122.48.21"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["167.71.66.3", "146.190.18.251", "134.122.48.21"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOCs due to its file name or command-line arguments.
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.command_line:"schtasks.exe"
Scenario: Admin Performing Log Collection via PowerShell
Description: An administrator uses PowerShell to collect logs, and the script name or command-line arguments match the Kimwolf IOCs.
Filter/Exclusion: process.user:"Administrator" and process.process_name:"powershell.exe" with command_line containing "log" or "event"
Scenario: Regular Backup Job Using rsync or Backup Tools
Description: A backup tool like rsync or Veeam is executed with command-line arguments that resemble Kimwolf IOCs.
Filter/Exclusion: process.command_line:"rsync" or "Veeam" or process.process_name:"rsync.exe" or "Veeam.exe"
Scenario: Software Update Deployment via SCCM
Description: A Software Center or SCCM update deployment triggers a process that matches the IOCs due to its execution context or file name.
Filter/Exclusion: process.parent_process_name:"Software Center" or process.parent_process_name:"ccmexec.exe"
Scenario: Internal Monitoring Tool Using NetFlow or Zeek
Description: A network monitoring tool like Zeek or a NetFlow collector is running and its process or command-line arguments match the IOCs.
Filter/Exclusion: process.process_name:"zeek" or "ntopng" or process.command_line:"flow" or "packet"