The detection identifies potential Cobalt Strike command and control activity through associated IOCs, indicating an adversary may be establishing persistence and exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats early in the attack lifecycle.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 7 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 101[.]126[.]10[.]34:443 | botnet_cc | 2026-05-23 | 100% |
| ip:port | 8[.]137[.]170[.]3:80 | botnet_cc | 2026-05-23 | 100% |
| ip:port | 43[.]173[.]105[.]177:80 | botnet_cc | 2026-05-23 | 100% |
| ip:port | 68[.]64[.]178[.]130:7443 | botnet_cc | 2026-05-23 | 100% |
| ip:port | 35[.]220[.]177[.]232:443 | botnet_cc | 2026-05-23 | 100% |
| ip:port | 102[.]204[.]223[.]106:443 | botnet_cc | 2026-05-23 | 100% |
| ip:port | 47[.]104[.]199[.]189:80 | botnet_cc | 2026-05-23 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["47.104.199.189", "35.220.177.232", "43.173.105.177", "68.64.178.130", "102.204.223.106", "101.126.10.34", "8.137.170.3"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["47.104.199.189", "35.220.177.232", "43.173.105.177", "68.64.178.130", "102.204.223.106", "101.126.10.34", "8.137.170.3"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike beacon to verify connectivity or perform a health check.
Filter/Exclusion: Exclude processes where the parent process is schtasks.exe and the command line includes beacon or checkin.
Scenario: Admin Task Using Cobalt Strike for Internal Red Team Exercise
Description: A security team member uses Cobalt Strike as part of a red team exercise to simulate an attack.
Filter/Exclusion: Exclude processes initiated by users with the “Red Team” or “Security” group membership, or where the command line includes --redteam or --exercise.
Scenario: Cobalt Strike Used for Internal Code Signing
Description: A developer uses Cobalt Strike to sign internal binaries for distribution within the organization.
Filter/Exclusion: Exclude processes where the command line includes --sign or --code-sign, and the user is part of the “DevOps” or “Signing” team.
Scenario: System Maintenance Task with Cobalt Strike Beacon
Description: A system maintenance script uses a Cobalt Strike beacon to monitor system health or collect logs.
Filter/Exclusion: Exclude processes where the parent process is task scheduler or schtasks.exe, and the command line includes monitor or logcollect.
Scenario: Cobalt Strike Used for Internal Network Discovery
Description: A network administrator uses Cobalt Strike to map internal network topology for documentation purposes.
Filter/Exclusion: Exclude processes where the command line includes --map or --network, and the user is part of the “Network Admin” group.