The ThreatFox: Kimwolf IOCs rule detects potential adversary activity linked to the Kimwolf threat group, which is associated with malware distribution and command and control infrastructure. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate early-stage compromises from a known malicious actor.
IOC Summary
Malware Family: Kimwolf Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 64[.]225[.]64[.]37:25001 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 164[.]92[.]154[.]242:25001 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 104[.]248[.]92[.]176:25001 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 104[.]248[.]89[.]120:25001 | botnet_cc | 2026-05-19 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["104.248.89.120", "164.92.154.242", "64.225.64.37", "104.248.92.176"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["104.248.89.120", "164.92.154.242", "64.225.64.37", "104.248.92.176"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that matches the IOCs (e.g., psutil, subprocess, or os.system) used in the Kimwolf detection.
Filter/Exclusion: process.parent_process_name:*schtasks* or process.name:*schtasks.exe*
Scenario: Admin Task – PowerShell Script Execution
Description: An administrator runs a PowerShell script using powershell.exe that includes commands like Get-Process or Invoke-Command, which may match the IOCs.
Filter/Exclusion: process.name:*powershell.exe* AND process.parent_process_name:*taskmgr* OR process.parent_process_name:*cmd.exe*
Scenario: Log Collection Tool Running
Description: A log collection tool like logstash or splunkforwarder uses IOCs such as curl or wget to fetch logs, triggering the rule.
Filter/Exclusion: process.name:*logstash* OR process.name:*splunkforwarder* OR process.name:*curl* AND process.parent_process_name:*splunk*
Scenario: Software Update Process
Description: A legitimate software update process (e.g., msiexec.exe) uses IOCs like msiexec or regsvr32, which may be flagged by the rule.
Filter/Exclusion: process.name:*msiexec.exe* OR process.name:*regsvr32.exe* AND process.parent_process_name:*setup.exe*
Scenario: Internal Monitoring Tool Execution
Description: An internal monitoring tool like Prometheus or Zabbix uses IOCs such as curl or wget