← Back to SOC feed Coverage →

ThreatFox: Cobalt Strike IOCs

ioc-hunt HIGH ThreatFox
CommonSecurityLogDeviceNetworkEvents
cobalt-strikeiocthreatfoxwin-cobalt_strike
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at ThreatFox →
Retrieved: 2026-06-14T11:00:00Z · Confidence: high

Hunt Hypothesis

The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating an adversary may be establishing persistence and exfiltrating data. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.

IOC Summary

Malware Family: Cobalt Strike Total IOCs: 21 IOC Types: ip:port

TypeValueThreat TypeFirst SeenConfidence
ip:port45[.]67[.]39[.]175:995botnet_cc2026-06-14100%
ip:port194[.]38[.]104[.]204:443botnet_cc2026-06-1498%
ip:port185[.]190[.]157[.]173:443botnet_cc2026-06-1498%
ip:port185[.]220[.]60[.]185:443botnet_cc2026-06-1498%
ip:port185[.]193[.]88[.]139:8443botnet_cc2026-06-14100%
ip:port194[.]58[.]98[.]20:443botnet_cc2026-06-14100%
ip:port65[.]87[.]7[.]18:80botnet_cc2026-06-14100%
ip:port8[.]152[.]2[.]86:9999botnet_cc2026-06-14100%
ip:port103[.]47[.]83[.]115:80botnet_cc2026-06-14100%
ip:port188[.]227[.]14[.]105:80botnet_cc2026-06-14100%
ip:port65[.]21[.]202[.]12:80botnet_cc2026-06-14100%
ip:port165[.]154[.]254[.]203:80botnet_cc2026-06-14100%
ip:port165[.]154[.]254[.]203:443botnet_cc2026-06-14100%
ip:port49[.]232[.]4[.]71:81botnet_cc2026-06-14100%
ip:port49[.]232[.]4[.]71:8080botnet_cc2026-06-14100%
ip:port49[.]232[.]4[.]71:443botnet_cc2026-06-14100%
ip:port49[.]232[.]4[.]71:80botnet_cc2026-06-14100%
ip:port43[.]99[.]110[.]114:8081botnet_cc2026-06-14100%
ip:port120[.]27[.]245[.]127:8080botnet_cc2026-06-13100%
ip:port120[.]27[.]245[.]127:443botnet_cc2026-06-13100%
ip:port120[.]27[.]245[.]127:80botnet_cc2026-06-13100%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["65.21.202.12", "103.47.83.115", "185.193.88.139", "188.227.14.105", "185.190.157.173", "185.220.60.185", "65.87.7.18", "165.154.254.203", "43.99.110.114", "49.232.4.71", "120.27.245.127", "45.67.39.175", "194.58.98.20", "194.38.104.204", "8.152.2.86"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["65.21.202.12", "103.47.83.115", "185.193.88.139", "188.227.14.105", "185.190.157.173", "185.220.60.185", "65.87.7.18", "165.154.254.203", "43.99.110.114", "49.232.4.71", "120.27.245.127", "45.67.39.175", "194.58.98.20", "194.38.104.204", "8.152.2.86"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

Required Data Sources

Sentinel TableNotes
CommonSecurityLogEnsure this data connector is enabled
DeviceNetworkEventsEnsure this data connector is enabled

References

False Positive Guidance

Original source: https://threatfox.abuse.ch/browse/malware/win.cobalt_strike/