The ThreatFox: Kimwolf IOCs rule detects potential adversary activity associated with the Kimwolf threat group, leveraging known indicators of compromise to identify malicious network traffic or system interactions. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Kimwolf Total IOCs: 7 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 172[.]233[.]46[.]13:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]235[.]160[.]166:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]239[.]238[.]87:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]239[.]238[.]115:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]239[.]238[.]125:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]239[.]238[.]148:25001 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 172[.]239[.]238[.]152:25001 | botnet_cc | 2026-05-10 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["172.239.238.148", "172.239.238.125", "172.239.238.115", "172.239.238.87", "172.239.238.152", "172.233.46.13", "172.235.160.166"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.239.238.148", "172.239.238.125", "172.239.238.115", "172.239.238.87", "172.239.238.152", "172.233.46.13", "172.235.160.166"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam Backup & Replication may trigger the rule due to similar network activity or file paths.
Filter/Exclusion: Check for process.name = "VeeamBackup.exe" or file.path contains "Veeam" in the event logs.
Scenario: Admin Task – Windows Task Scheduler Running PowerShell Scripts
Description: System administrators may run PowerShell scripts via Task Scheduler for routine maintenance, which could match the IOCs associated with Kimwolf.
Filter/Exclusion: Filter events where process.name = "schtasks.exe" or process.parent.name = "TaskScheduler".
Scenario: Log Management with Splunk Forwarder
Description: The Splunk Universal Forwarder may generate traffic to Splunk servers that could be flagged by the rule due to similar network patterns.
Filter/Exclusion: Check for process.name = "splunkforwarder.exe" or destination.ip = <Splunk_Server_IP>.
Scenario: Database Maintenance Using SQL Server Agent Jobs
Description: SQL Server Agent jobs may execute scripts or connect to remote SQL servers, which could resemble Kimwolf-related network activity.
Filter/Exclusion: Filter for process.name = "sqlservr.exe" or process.name = "sqlagent.exe" and check for known SQL Server processes.
Scenario: Software Update Deployment Using Microsoft Endpoint Configuration Manager (MECM)
Description: MECM may initiate network traffic to download updates or communicate with distribution points, which could be mistaken for Kimwolf IOCs.
Filter/Exclusion: Filter for process.name = "ccmexec.exe" or process.name = "mpcmdrun.exe" and check for known MECM-related network patterns