Adversaries may be using Cobalt Strike to establish command and control channels, leveraging known IOCs to exfiltrate data and maintain persistent access. SOC teams should proactively hunt for these indicators in Azure Sentinel to detect and mitigate advanced persistent threat activity early.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 32 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 43[.]138[.]165[.]203:443 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 43[.]138[.]165[.]203:80 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 43[.]138[.]165[.]203:8080 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 43[.]138[.]165[.]203:9001 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 176[.]97[.]124[.]68:8080 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 165[.]22[.]225[.]218:5443 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 38[.]181[.]42[.]160:443 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 47[.]103[.]95[.]85:443 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 129[.]211[.]2[.]123:80 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 129[.]211[.]2[.]123:8080 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 154[.]23[.]185[.]34:80 | botnet_cc | 2026-06-01 | 75% |
| ip:port | 124[.]71[.]141[.]30:8080 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 82[.]157[.]52[.]180:443 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 82[.]157[.]52[.]180:8080 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 54[.]247[.]3[.]153:80 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 54[.]247[.]3[.]153:443 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 124[.]71[.]141[.]30:443 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 124[.]71[.]141[.]30:80 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 49[.]233[.]215[.]164:443 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 49[.]233[.]215[.]164:80 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 47[.]116[.]211[.]215:443 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 49[.]233[.]215[.]164:8080 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 47[.]116[.]211[.]215:8080 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 47[.]103[.]95[.]85:80 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 47[.]103[.]95[.]85:8080 | botnet_cc | 2026-06-01 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["124.71.141.30", "43.138.165.203", "165.22.225.218", "54.247.3.153", "47.103.95.85", "176.97.124.68", "129.211.2.123", "154.23.185.34", "49.233.215.164", "47.116.211.215", "38.181.42.160", "154.38.114.115", "82.157.52.180"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["124.71.141.30", "43.138.165.203", "165.22.225.218", "54.247.3.153", "47.103.95.85", "176.97.124.68", "129.211.2.123", "154.23.185.34", "49.233.215.164", "47.116.211.215", "38.181.42.160", "154.38.114.115", "82.157.52.180"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Cobalt Strike
let malicious_domains = dynamic(["ds.metric-take-datadqct.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike Usage for Red Team Exercises
Description: Security teams may use Cobalt Strike as part of authorized red team simulations.
Filter/Exclusion: Check for presence of redteam or authorized in the command line or session metadata. Use a filter like:
(process.name == "cobaltstrike.exe") and (command_line contains "redteam" or command_line contains "authorized")Scenario: Scheduled Job Running Cobalt Strike for Automation
Description: An enterprise may schedule Cobalt Strike to run as part of an automated security testing or incident response workflow.
Filter/Exclusion: Filter by job name or user context, such as:
(process.name == "cobaltstrike.exe") and (user == "security_ops") and (process.parent.name == "schtasks.exe")Scenario: Admin Task Using Cobalt Strike for Network Enumeration
Description: System administrators may use Cobalt Strike to perform network discovery or enumeration during troubleshooting.
Filter/Exclusion: Filter by user context and command line arguments, such as:
(process.name == "cobaltstrike.exe") and (user == "admin") and (command_line contains "network" or command_line contains "enum")Scenario: Cobalt Strike Used for Internal Tooling or Custom Scripts
Description: Some organizations may use Cobalt Strike as a base for internal tools or custom scripts.
Filter/Exclusion: Check for presence of internal tooling identifiers or custom script names in the command line, such as:
(process.name == "cobaltstrike.exe") and (command_line contains "internal_tool" or command_line contains "custom_script")**