Adversaries may be using Cobalt Strike to establish persistent command and control within the network, leveraging known IOCs to exfiltrate data and maintain stealth. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 12 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]61[.]163[.]145:80 | botnet_cc | 2026-06-08 | 100% |
| ip:port | 45[.]61[.]163[.]145:443 | botnet_cc | 2026-06-08 | 100% |
| ip:port | 112[.]213[.]113[.]171:80 | botnet_cc | 2026-06-08 | 100% |
| ip:port | 8[.]152[.]2[.]86:81 | botnet_cc | 2026-06-08 | 100% |
| ip:port | 45[.]64[.]111[.]18:80 | botnet_cc | 2026-06-08 | 100% |
| ip:port | 38[.]47[.]226[.]41:8443 | botnet_cc | 2026-06-08 | 100% |
| ip:port | 45[.]64[.]111[.]21:80 | botnet_cc | 2026-06-08 | 100% |
| ip:port | 45[.]64[.]111[.]19:80 | botnet_cc | 2026-06-08 | 100% |
| ip:port | 8[.]163[.]135[.]135:443 | botnet_cc | 2026-06-08 | 100% |
| ip:port | 45[.]64[.]111[.]20:80 | botnet_cc | 2026-06-08 | 100% |
| ip:port | 120[.]26[.]208[.]96:8080 | botnet_cc | 2026-06-08 | 100% |
| ip:port | 120[.]26[.]208[.]96:443 | botnet_cc | 2026-06-08 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["45.64.111.18", "45.64.111.20", "8.152.2.86", "120.26.208.96", "38.47.226.41", "8.163.135.135", "45.61.163.145", "45.64.111.21", "45.64.111.19", "112.213.113.171"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.64.111.18", "45.64.111.20", "8.152.2.86", "120.26.208.96", "38.47.226.41", "8.163.135.135", "45.61.163.145", "45.64.111.21", "45.64.111.19", "112.213.113.171"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike Usage in Red Team Exercises
Description: A red team member is running a Cobalt Strike beacon as part of a sanctioned penetration test.
Filter/Exclusion: Check for presence of a known red team IP range or use of a specific red team tool (e.g., cobaltstrike.exe in a known red team directory).
Example Filter: process.name == "cobaltstrike.exe" && file.path contains "redteam/tools"
Scenario: Scheduled System Maintenance Task
Description: A system administrator is running a scheduled task that uses taskkill or tasklist to manage processes, which may resemble Cobalt Strike IOCs.
Filter/Exclusion: Exclude processes associated with system maintenance tools (e.g., taskkill.exe, schtasks.exe) or check for presence of a known admin task name.
Example Filter: process.name == "taskkill.exe" && process.args contains "/F /IM"
Scenario: Legitimate Cobalt Strike Beacon in a Security Training Lab
Description: A security training lab is using a Cobalt Strike beacon to simulate an attack for educational purposes.
Filter/Exclusion: Check for presence of a lab environment identifier (e.g., lab_env registry key or a known lab IP range).
Example Filter: process.name == "cobaltstrike.exe" && registry.value("HKLM\\Software\\LabEnv") == "true"
Scenario: Malicious PowerShell Script Mimicking Cobalt Strike Behavior
Description: A PowerShell script is being used to perform lateral movement and may trigger the same IOCs as Cobalt Strike.
Filter/Exclusion: Exclude PowerShell scripts that are not associated with Cobalt Strike (e.g., check for presence of Invoke-Command or `New