The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating an adversary may be establishing persistent access to the network. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threat (APT) operations early in the attack lifecycle.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 13 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 38[.]47[.]122[.]34:8888 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 38[.]47[.]122[.]34:8080 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 38[.]47[.]122[.]34:443 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 38[.]47[.]122[.]34:80 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 185[.]89[.]116[.]55:8443 | botnet_cc | 2026-06-10 | 86% |
| ip:port | 34[.]92[.]128[.]98:80 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 47[.]92[.]206[.]63:9999 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 103[.]230[.]15[.]38:8080 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 8[.]163[.]59[.]20:8080 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 8[.]163[.]59[.]20:80 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 8[.]163[.]59[.]20:8008 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 8[.]163[.]59[.]20:443 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 103[.]190[.]67[.]166:84 | botnet_cc | 2026-06-10 | 94% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["185.89.116.55", "8.163.59.20", "103.230.15.38", "38.47.122.34", "103.190.67.166", "34.92.128.98", "47.92.206.63"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["185.89.116.55", "8.163.59.20", "103.230.15.38", "38.47.122.34", "103.190.67.166", "34.92.128.98", "47.92.206.63"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike Beacon to check in with the C2 server as part of a red team exercise or pentest.
Filter/Exclusion: Exclude processes where the parent process is a known red team tool (e.g., msfvenom, powerview, or invoke-mimikatz) or where the process is initiated by a scheduled task with a known red team identifier.
Scenario: System Administration Task Using Cobalt Strike
Description: An admin uses Cobalt Strike to perform a legitimate system administration task, such as remote code execution for patching or configuration management.
Filter/Exclusion: Exclude processes where the user is a domain admin and the command line includes known admin tasks (e.g., runas, psexec, or invoke-command with valid administrative scripts).
Scenario: Cobalt Strike Beacon Used in Penetration Testing
Description: A security team uses Cobalt Strike Beacon as part of a penetration test to simulate an advanced persistent threat.
Filter/Exclusion: Exclude processes where the user is a member of the security team and the process is initiated from a known test environment (e.g., TestEnv or PenTest directory).
Scenario: Cobalt Strike Beacon in a Multi-Stage Attack Simulation
Description: A red team deploys a Cobalt Strike Beacon as part of a multi-stage attack simulation, including lateral movement and data exfiltration.
Filter/Exclusion: Exclude processes where the Beacon is part of a known red team simulation (e.g., RedTeamSim or BlueTeamExercise) and the command line includes simulation-specific flags.
Scenario: Cobalt Strike Beacon Used for Incident Response Testing
Description: An incident response team uses Cob