Adversaries are leveraging Cobalt Strike IOCs to establish command and control and exfiltrate data, indicating potential advanced persistent threats. SOC teams should proactively hunt for these indicators in Azure Sentinel to detect and mitigate sophisticated attacks before significant damage occurs.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 14 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 221[.]132[.]29[.]137:81 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 119[.]45[.]166[.]6:9875 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 1[.]92[.]101[.]103:8006 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 209[.]126[.]7[.]188:443 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 209[.]126[.]7[.]188:8080 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 209[.]126[.]7[.]188:80 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 43[.]138[.]165[.]203:9003 | botnet_cc | 2026-06-17 | 75% |
| ip:port | 42[.]193[.]15[.]237:9003 | botnet_cc | 2026-06-17 | 75% |
| ip:port | 156[.]234[.]211[.]242:7661 | botnet_cc | 2026-06-17 | 75% |
| ip:port | 175[.]24[.]207[.]15:80 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 175[.]24[.]207[.]15:443 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 91[.]219[.]96[.]131:58908 | botnet_cc | 2026-06-17 | 75% |
| ip:port | 185[.]92[.]190[.]217:8896 | botnet_cc | 2026-06-17 | 75% |
| ip:port | 1[.]13[.]141[.]229:8480 | botnet_cc | 2026-06-17 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["42.193.15.237", "119.45.166.6", "156.234.211.242", "91.219.96.131", "185.92.190.217", "221.132.29.137", "209.126.7.188", "1.13.141.229", "175.24.207.15", "1.92.101.103", "43.138.165.203"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["42.193.15.237", "119.45.166.6", "156.234.211.242", "91.219.96.131", "185.92.190.217", "221.132.29.137", "209.126.7.188", "1.13.141.229", "175.24.207.15", "1.92.101.103", "43.138.165.203"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike Beacon to check in with the C2 server as part of a red team exercise or penetration test.
Filter/Exclusion: Exclude processes associated with known red team tools (e.g., beacon.exe, cobaltstrike.exe) or filter by user context (e.g., user = redteam).
Scenario: Admin Task to Generate Cobalt Strike Reports
Description: An administrator uses Cobalt Strike to generate reports or export data for internal security assessments.
Filter/Exclusion: Exclude processes initiated by admin accounts (e.g., user = admin) or filter by command-line arguments containing keywords like report, export, or generate.
Scenario: System Maintenance Using Cobalt Strike for Log Analysis
Description: A system administrator uses Cobalt Strike to analyze logs or perform forensic analysis on a compromised system.
Filter/Exclusion: Exclude processes running under a specific admin account (e.g., user = sysadmin) or filter by file paths related to log analysis tools.
Scenario: Cobalt Strike Used for Internal Red Team Training
Description: A red team within the organization uses Cobalt Strike for training purposes, simulating attack scenarios.
Filter/Exclusion: Exclude processes that run during scheduled training windows (e.g., time = 10:00-12:00) or filter by user group (e.g., user_group = redteam).
Scenario: Cobalt Strike Beacon Used for Internal Monitoring
Description: A security team deploys a Cobalt Strike Beacon to monitor network traffic or test internal defenses.
Filter/Exclusion: Exclude processes that are part of a known internal monitoring initiative (e.g., `process_name =