The ThreatFox: Kimwolf IOCs rule detects potential adversary activity linked to the Kimwolf threat group, which is associated with sophisticated malware and persistent access techniques. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage.
IOC Summary
Malware Family: Kimwolf Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 167[.]172[.]40[.]69:25001 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 164[.]90[.]197[.]155:25001 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 164[.]90[.]205[.]39:25001 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 174[.]138[.]12[.]239:25001 | botnet_cc | 2026-05-18 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["167.172.40.69", "174.138.12.239", "164.90.197.155", "164.90.205.39"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["167.172.40.69", "174.138.12.239", "164.90.197.155", "164.90.205.39"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that matches the IOCs (e.g., psutil or subprocess calls) as part of routine system monitoring or cleanup.
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.command_line:"schtasks.exe"
Scenario: Admin Performing Disk Cleanup
Description: An admin uses a tool like Disk Cleanup or CCleaner to remove temporary files, which may trigger IOCs related to file deletion or system scanning.
Filter/Exclusion: process.name:"cleanmgr.exe" or process.name:"ccleaner.exe"
Scenario: Log File Rotation Using Logrotate
Description: The logrotate utility is used to rotate and compress log files, which may involve file operations that match the IOCs.
Filter/Exclusion: process.name:"logrotate" or process.command_line:"/usr/sbin/logrotate"
Scenario: Database Backup Using SQL Server Agent Job
Description: A SQL Server Agent job is performing a backup, which may involve file system operations that resemble malicious activity.
Filter/Exclusion: process.parent_process_name:"sqlservr.exe" or process.command_line:"sqlcmd.exe"
Scenario: Security Tool Performing Baseline Scan
Description: A security tool like OSSEC or Tripwire is running a baseline integrity check, which may trigger IOCs related to file monitoring or system scanning.
Filter/Exclusion: process.name:"ossec", process.name:"tripwire", or process.command_line:"ossecq"