The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating an adversary may be exfiltrating data or maintaining persistence. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 14 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 39[.]106[.]205[.]6:80 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 39[.]106[.]205[.]6:443 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 43[.]131[.]240[.]236:8080 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 43[.]131[.]240[.]236:80 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 43[.]131[.]240[.]236:443 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 103[.]230[.]15[.]159:8080 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 151[.]239[.]24[.]160:9090 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 45[.]151[.]101[.]97:80 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 45[.]151[.]101[.]97:8080 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 177[.]3[.]40[.]2:443 | botnet_cc | 2026-06-16 | 75% |
| domain | mlcs.mlface.net | botnet_cc | 2026-06-16 | 75% |
| ip:port | 45[.]151[.]101[.]97:443 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 129[.]204[.]14[.]131:57000 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 47[.]120[.]20[.]86:8989 | botnet_cc | 2026-06-15 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["39.106.205.6", "129.204.14.131", "177.3.40.2", "47.120.20.86", "45.151.101.97", "151.239.24.160", "43.131.240.236", "103.230.15.159"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["39.106.205.6", "129.204.14.131", "177.3.40.2", "47.120.20.86", "45.151.101.97", "151.239.24.160", "43.131.240.236", "103.230.15.159"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Cobalt Strike
let malicious_domains = dynamic(["mlcs.mlface.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike beacon to verify connectivity or perform a health check.
Filter/Exclusion: Exclude events where the process name is beacon.exe and the command line includes --checkin or --verify.
Scenario: Admin Task Using Cobalt Strike for Red Team Exercises
Description: Security teams use Cobalt Strike as part of red team training or penetration testing.
Filter/Exclusion: Exclude processes initiated by users with the RedTeam or SecurityTesting group membership, or where the command line includes --redteam or --training.
Scenario: System Maintenance Task Using Cobalt Strike for Log Collection
Description: A system admin uses Cobalt Strike to collect logs for troubleshooting or auditing purposes.
Filter/Exclusion: Exclude processes where the command line includes --logcollect or --audit, or where the parent process is a known system maintenance tool like task scheduler or schtasks.exe.
Scenario: Cobalt Strike Beacon Used for Internal Monitoring
Description: A legitimate internal monitoring tool uses Cobalt Strike to monitor network traffic or system performance.
Filter/Exclusion: Exclude processes where the command line includes --monitor or --traffic, or where the process is initiated by a known monitoring service like SolarWinds or Nagios.
Scenario: Cobalt Strike Used for Patch Management Testing
Description: A patch management tool uses Cobalt Strike to simulate or test patch deployment scenarios.
Filter/Exclusion: Exclude processes where the command line includes --patchtest or --simulate, or where the parent process is a known patch management tool like WSUS or SCCM.