The ThreatFox: Kimwolf IOCs rule detects potential adversary activity linked to the Kimwolf threat group, which is associated with malicious network traffic and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises from a known advanced threat actor.
IOC Summary
Malware Family: Kimwolf Total IOCs: 13 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 161[.]35[.]90[.]66:25001 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 142[.]93[.]129[.]2:25001 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 159[.]65[.]203[.]136:25001 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 167[.]99[.]36[.]110:25001 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 167[.]172[.]43[.]29:25001 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 142[.]93[.]143[.]106:25001 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 167[.]71[.]11[.]43:25001 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 165[.]232[.]93[.]148:25001 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 188[.]166[.]69[.]57:25001 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 146[.]190[.]230[.]149:25001 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 159[.]223[.]223[.]37:25001 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 178[.]62[.]247[.]141:25001 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 206[.]189[.]97[.]111:25001 | botnet_cc | 2026-05-21 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Kimwolf
let malicious_ips = dynamic(["142.93.129.2", "167.71.11.43", "167.172.43.29", "165.232.93.148", "142.93.143.106", "146.190.230.149", "206.189.97.111", "161.35.90.66", "188.166.69.57", "159.65.203.136", "167.99.36.110", "178.62.247.141", "159.223.223.37"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["142.93.129.2", "167.71.11.43", "167.172.43.29", "165.232.93.148", "142.93.143.106", "146.190.230.149", "206.189.97.111", "161.35.90.66", "188.166.69.57", "159.65.203.136", "167.99.36.110", "178.62.247.141", "159.223.223.37"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe to run a maintenance script
Filter/Exclusion: Check for schtasks.exe with command line containing known maintenance scripts (e.g., C:\Windows\System32\Tasks\maintenance_task.bat) and ensure the task is registered in the Windows Task Scheduler.
Scenario: Admin using PowerShell.exe to run a system cleanup script
Filter/Exclusion: Filter events where PowerShell.exe is executed with a script path that matches internal cleanup scripts (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\psconfig.ps1).
Scenario: Regular use of certutil.exe to import trusted certificates
Filter/Exclusion: Exclude instances where certutil.exe is used with certificate import commands (e.g., certutil -addstore -user TrustedPublisher "C:\certs\trusted_cert.cer") and the certificate is known to be internal or trusted.
Scenario: Use of wmic.exe for system inventory collection by IT tools
Filter/Exclusion: Filter out wmic.exe commands related to system inventory (e.g., wmic computersystem get username) that are part of a known IT management tool (e.g., Microsoft System Center).
Scenario: Legitimate use of netsh.exe to configure network settings
Filter/Exclusion: Exclude netsh.exe commands that modify network interfaces or firewall rules as part of a known network configuration process (e.g., netsh advfirewall set currentprofile state blocked).