Adversaries are leveraging Cobalt Strike IOCs to establish persistent command-and-control channels and exfiltrate data within the network. SOC teams should proactively hunt for these indicators in Azure Sentinel to detect and disrupt advanced persistent threat activities before they cause significant damage.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 17 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 68[.]64[.]178[.]130:8443 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 45[.]227[.]253[.]121:35120 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 36[.]138[.]84[.]183:18443 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 43[.]204[.]108[.]246:443 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 43[.]204[.]108[.]246:80 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 43[.]204[.]108[.]246:8080 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 166[.]88[.]95[.]98:8080 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 166[.]88[.]95[.]98:443 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 166[.]88[.]95[.]98:80 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 194[.]58[.]106[.]111:443 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 47[.]108[.]25[.]113:80 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 47[.]108[.]25[.]113:8080 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 137[.]220[.]199[.]248:443 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 114[.]116[.]249[.]214:81 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 119[.]27[.]173[.]104:8080 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 157[.]22[.]192[.]234:8080 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 193[.]29[.]58[.]188:8080 | botnet_cc | 2026-05-26 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["157.22.192.234", "114.116.249.214", "47.108.25.113", "36.138.84.183", "43.204.108.246", "194.58.106.111", "68.64.178.130", "45.227.253.121", "193.29.58.188", "137.220.199.248", "166.88.95.98", "119.27.173.104"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["157.22.192.234", "114.116.249.214", "47.108.25.113", "36.138.84.183", "43.204.108.246", "194.58.106.111", "68.64.178.130", "45.227.253.121", "193.29.58.188", "137.220.199.248", "166.88.95.98", "119.27.173.104"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike beacon to verify connectivity or perform maintenance.
Filter/Exclusion: process.name != "beacon.exe" OR process.parent.name != "task scheduler"
Scenario: Admin Task Using Cobalt Strike for Internal Red Team Exercise
Description: A security team member uses Cobalt Strike as part of a red team exercise to test internal defenses.
Filter/Exclusion: process.user != "security_team_user" OR process.command_line contains "redteam"
Scenario: Cobalt Strike Beacon Used for Network Discovery (Legitimate Use)
Description: A network discovery tool or script uses Cobalt Strike beacon to map internal network topology.
Filter/Exclusion: process.name contains "network_discovery_tool" OR process.command_line contains "map_network"
Scenario: Cobalt Strike Beacon Used for Log Collection (Internal Monitoring)
Description: A log aggregation tool uses a Cobalt Strike beacon to collect logs from remote servers.
Filter/Exclusion: process.name contains "log_collector" OR process.command_line contains "collect_logs"
Scenario: Cobalt Strike Beacon Used for System Health Check (Internal Monitoring)
Description: A system health monitoring tool uses a Cobalt Strike beacon to check server uptime and resource usage.
Filter/Exclusion: process.name contains "health_check_tool" OR process.command_line contains "check_system"