The ThreatFox: Cobalt Strike IOCs rule detects potential adversary use of Cobalt Strike by identifying known indicators of compromise associated with this advanced persistent threat toolkit. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise by sophisticated attackers leveraging Cobalt Strike for command and control.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 31 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 43[.]136[.]180[.]88:80 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 160[.]202[.]230[.]103:8080 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 160[.]202[.]230[.]103:443 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 47[.]121[.]181[.]148:80 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 47[.]121[.]181[.]148:8080 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 8[.]219[.]158[.]30:8080 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 45[.]87[.]53[.]6:8443 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 120[.]55[.]3[.]157:10000 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 117[.]72[.]220[.]212:8080 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 43[.]136[.]180[.]88:8080 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 43[.]136[.]180[.]88:443 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 47[.]121[.]181[.]148:443 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 124[.]220[.]41[.]22:443 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 211[.]159[.]225[.]77:80 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 160[.]202[.]230[.]103:80 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 49[.]233[.]105[.]49:4444 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 139[.]5[.]108[.]17:443 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 193[.]233[.]130[.]136:3389 | botnet_cc | 2026-06-11 | 99% |
| ip:port | 156[.]234[.]211[.]138:8821 | botnet_cc | 2026-06-11 | 50% |
| ip:port | 156[.]234[.]211[.]165:8821 | botnet_cc | 2026-06-11 | 50% |
| ip:port | 219[.]92[.]2[.]65:443 | botnet_cc | 2026-06-11 | 50% |
| ip:port | 192[.]144[.]213[.]21:18443 | botnet_cc | 2026-06-11 | 50% |
| ip:port | 18[.]175[.]227[.]88:80 | botnet_cc | 2026-06-11 | 50% |
| ip:port | 45[.]67[.]84[.]76:3389 | botnet_cc | 2026-06-11 | 86% |
| ip:port | 34[.]92[.]128[.]98:8080 | botnet_cc | 2026-06-11 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["139.5.108.17", "120.55.3.157", "47.121.181.148", "45.87.53.6", "8.219.158.30", "156.234.211.165", "124.220.41.22", "49.233.105.49", "160.202.230.103", "219.92.2.65", "117.72.220.212", "47.92.206.63", "192.144.213.21", "18.175.227.88", "211.159.225.77", "85.137.240.208", "43.136.180.88", "156.234.211.138", "193.233.130.136", "34.92.128.98", "45.67.84.76"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["139.5.108.17", "120.55.3.157", "47.121.181.148", "45.87.53.6", "8.219.158.30", "156.234.211.165", "124.220.41.22", "49.233.105.49", "160.202.230.103", "219.92.2.65", "117.72.220.212", "47.92.206.63", "192.144.213.21", "18.175.227.88", "211.159.225.77", "85.137.240.208", "43.136.180.88", "156.234.211.138", "193.233.130.136", "34.92.128.98", "45.67.84.76"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Cobalt Strike
let malicious_domains = dynamic(["1364170351-5ezc7c8ssf.ap-guangzhou.tencentscf.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike Usage in Red Team Exercises
Description: Security teams may run Cobalt Strike as part of authorized red team exercises to simulate attacks.
Filter/Exclusion: Check for presence of redteam or exercise in the process name or command line arguments. Exclude processes where the user is a red team lead or has access to the red team toolkit.
Scenario: Scheduled System Maintenance Tasks
Description: System administrators may schedule tasks using schtasks.exe that involve Cobalt Strike for automated testing or patching.
Filter/Exclusion: Filter out tasks that are scheduled via schtasks.exe and have a known maintenance script or are associated with a trusted admin group (e.g., Administrators).
Scenario: Cobalt Strike Used for Internal Code Signing
Description: Some organizations use Cobalt Strike for internal code signing or development purposes, which may generate IOCs that match the rule.
Filter/Exclusion: Exclude processes that are running from a known internal code signing directory or are associated with a trusted development team (e.g., dev-team or internal-signing).
Scenario: Cobalt Strike Used in DevOps Pipeline for Testing
Description: DevOps teams may use Cobalt Strike in CI/CD pipelines for testing exploit payloads or security controls.
Filter/Exclusion: Exclude processes that are part of a known CI/CD pipeline (e.g., Jenkins, GitLab CI, or Azure DevOps) or are executed under a DevOps service account.
Scenario: Cobalt Strike Used for Internal Security Training
Description: Security training programs may use Cobalt Strike to demonstrate attack techniques in a controlled environment.
Filter/Exclusion: Exclude processes that are executed from a known training directory or are associated with