Cobalt Strike is being used to move laterally across the network, indicating potential adversary persistence and expansion. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and contain compromise early.
KQL Query
AlertInfo
| where Title in("File dropped and launched from remote location", "Suspicious transfer of an executable file")
// Joining in instances where Cobalt Strike's built-in PsExec is used for lateral movement
| join AlertEvidence on $left.AlertId == $right.AlertId
| where FileName matches regex @"^([a-z0-9]){7}\.exe$" and FileName matches regex "[0-9]{1,5}"
id: 1212ae5c-43cc-4c17-bcbb-d23cf9ad3483
name: Cobalt Strike Lateral Movement
description: |
Microsoft has observed Bazacall using Cobalt Strike in order to move laterally to other machines on the network.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- AlertInfo
- AlertEvidence
tactics:
- Lateral movement
query: |
AlertInfo
| where Title in("File dropped and launched from remote location", "Suspicious transfer of an executable file")
// Joining in instances where Cobalt Strike's built-in PsExec is used for lateral movement
| join AlertEvidence on $left.AlertId == $right.AlertId
| where FileName matches regex @"^([a-z0-9]){7}\.exe$" and FileName matches regex "[0-9]{1,5}"
| Sentinel Table | Notes |
|---|---|
AlertEvidence | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task is running a script or tool that mimics Cobalt Strike behavior, such as using PsExec or WMIC for remote execution.
Filter/Exclusion: Check for taskname containing “Maintenance” or “Update” and exclude processes initiated by the System or LocalSystem account.
Scenario: Admin Remote Management via PowerShell
Description: An administrator is using PowerShell remoting (Invoke-Command) to manage remote servers, which may trigger similar network activity as Cobalt Strike.
Filter/Exclusion: Filter by processname containing “powershell.exe” and check for commandline containing “Invoke-Command” or “Enter-PSSession”.
Scenario: Legitimate Cobalt Strike Usage for Red Team Exercises
Description: Security teams are using Cobalt Strike as part of a red team exercise to simulate lateral movement.
Filter/Exclusion: Check for processname containing “cobaltstrike” and filter by user being a known red team or security team account.
Scenario: Network Discovery via NetBIOS or SMB
Description: A legitimate network discovery tool like nmap or net view is being used to map the network, which may resemble Cobalt Strike’s network activity.
Filter/Exclusion: Filter by processname containing “nmap.exe” or “net.exe” and exclude traffic to internal IP ranges.
Scenario: Remote Desktop Protocol (RDP) Session Activity
Description: An administrator is using RDP to access a remote machine, which may result in similar network traffic patterns as Cobalt Strike.
Filter/Exclusion: Check for processname containing “mstsc.exe” or “rdp.exe” and verify the presence of