The ThreatFox: Kimwolf IOCs rule detects potential adversary activity linked to the Kimwolf threat group, which is associated with advanced persistent threats and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises and prevent data loss.
IOC Summary
Malware Family: Kimwolf Total IOCs: 7 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 188[.]166[.]13[.]86:25001 | botnet_cc | 2026-05-08 | 100% |
| ip:port | 174[.]138[.]9[.]61:25001 | botnet_cc | 2026-05-08 | 100% |
| ip:port | 161[.]35[.]158[.]62:25001 | botnet_cc | 2026-05-08 | 100% |
| ip:port | 159[.]223[.]234[.]168:25001 | botnet_cc | 2026-05-08 | 100% |
| ip:port | 159[.]223[.]226[.]156:25001 | botnet_cc | 2026-05-08 | 100% |
| ip:port | 159[.]223[.]233[.]58:25001 | botnet_cc | 2026-05-08 | 100% |
| ip:port | 157[.]245[.]74[.]9:25001 | botnet_cc | 2026-05-08 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["188.166.13.86", "174.138.9.61", "159.223.233.58", "159.223.234.168", "161.35.158.62", "159.223.226.156", "157.245.74.9"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["188.166.13.86", "174.138.9.61", "159.223.233.58", "159.223.234.168", "161.35.158.62", "159.223.226.156", "157.245.74.9"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude processes initiated by the Veeam service account or with the command line argument --backup or --schedule.
Scenario: Admin task to update Microsoft Endpoint Protection (EPP) definitions
Filter/Exclusion: Exclude processes with the parent process being msseces.exe or with the command line containing update or definition.
Scenario: Regular execution of PowerShell scripts for log management by the Windows Event Log service
Filter/Exclusion: Exclude processes with the parent process eventlog.exe or with the command line containing log or rotate.
Scenario: Use of AWS CLI to manage EC2 instances as part of infrastructure automation
Filter/Exclusion: Exclude processes with the parent process aws or command line arguments containing ec2 or describe-instances.
Scenario: Execution of Ansible playbooks for configuration management on Linux servers
Filter/Exclusion: Exclude processes with the parent process ansible or command line arguments containing playbook or config.